Package: libssh2 / 1.8.0-2.1

CVE-2019-3862.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Description: Out-of-bounds memory comparison
Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
Bug-Debian: https://bugs.debian.org/924965
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3862
Forwarded: not-needed
Last-Update: 2019-03-30

--- a/src/packet.c
+++ b/src/packet.c
@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
                 uint32_t len = _libssh2_ntohu32(data + 5);
                 unsigned char want_reply = 1;
 
-                if(len < (datalen - 10))
-                    want_reply = data[9 + len];
+                if((len + 9) < datalen)
+                    want_reply = data[len + 9];
 
                 _libssh2_debug(session,
                                LIBSSH2_TRACE_CONN,
@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
                                channel, len, data + 9, want_reply);
 
                 if (len == sizeof("exit-status") - 1
+                    && (sizeof("exit-status") - 1 + 9) <= datalen
                     && !memcmp("exit-status", data + 9,
                                sizeof("exit-status") - 1)) {
 
@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
                         channelp =
                             _libssh2_channel_locate(session, channel);
 
-                    if (channelp) {
+                    if (channelp && (sizeof("exit-status") + 13) <= datalen) {
                         channelp->exit_status =
                             _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
                         _libssh2_debug(session, LIBSSH2_TRACE_CONN,
@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
 
                 }
                 else if (len == sizeof("exit-signal") - 1
+                         && (sizeof("exit-signal") - 1 + 9) <= datalen
                          && !memcmp("exit-signal", data + 9,
                                     sizeof("exit-signal") - 1)) {
                     /* command terminated due to signal */
                     if(datalen >= 20)
                         channelp = _libssh2_channel_locate(session, channel);
 
-                    if (channelp) {
+                    if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
                         /* set signal name (without SIG prefix) */
                         uint32_t namelen =
                             _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
                         if (!channelp->exit_signal)
                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
                                                 "memory for signal name");
-                        else {
+                        else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
                             memcpy(channelp->exit_signal,
-                                   data + 13 + sizeof("exit_signal"), namelen);
+                                   data + 13 + sizeof("exit-signal"), namelen);
                             channelp->exit_signal[namelen] = '\0';
                             /* TODO: save error message and language tag */
                             _libssh2_debug(session, LIBSSH2_TRACE_CONN,