Package: libssh2 / 1.8.0-2.1

CVE-2019-3863.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Description: Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes
Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
Bug-Debian: https://bugs.debian.org/924965
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3863
Forwarded: not-needed
Last-Update: 2019-03-30

--- a/src/userauth.c
+++ b/src/userauth.c
@@ -1831,8 +1831,17 @@ userauth_keyboard_interactive(LIBSSH2_SE
 
             for(i = 0; i < session->userauth_kybd_num_prompts; i++) {
                 /* string    response[1] (ISO-10646 UTF-8) */
-                session->userauth_kybd_packet_len +=
-                    4 + session->userauth_kybd_responses[i].length;
+                 if(session->userauth_kybd_responses[i].length <=
+                   (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
+                    session->userauth_kybd_packet_len +=
+                        4 + session->userauth_kybd_responses[i].length;
+                }
+                else {
+                    _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+                                   "Unable to allocate memory for keyboard-"
+                                   "interactive response packet");
+                    goto cleanup;
+                }
             }
 
             /* A new userauth_kybd_data area is to be allocated, free the