File libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch of Package libssh.42763

From 796d85f786dff62bd4bcc4408d9b7bbc855841e9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 22 Dec 2025 20:59:11 +0100
Subject: [PATCH 02/12] CVE-2026-0968: sftp: Sanitize input handling in
 sftp_parse_longname()

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 20856f44c146468c830da61dcbbbaa8ce71e390b)

Index: libssh-0.9.8/src/sftp.c
===================================================================
--- libssh-0.9.8.orig/src/sftp.c
+++ libssh-0.9.8/src/sftp.c
@@ -1292,16 +1292,21 @@ enum sftp_longname_field_e {
 
 static char *sftp_parse_longname(const char *longname,
         enum sftp_longname_field_e longname_field) {
-    const char *p, *q;
+    const char *p = NULL, *q = NULL;
     size_t len, field = 0;
 
+    if (longname == NULL || longname_field < SFTP_LONGNAME_PERM ||
+        longname_field > SFTP_LONGNAME_NAME) {
+        return NULL;
+    }
+
     p = longname;
     /* Find the beginning of the field which is specified by sftp_longanme_field_e. */
-    while(field != longname_field) {
+    while (*p != '\0' && field != longname_field) {
         if(isspace(*p)) {
             field++;
             p++;
-            while(*p && isspace(*p)) {
+            while (*p != '\0' && isspace(*p)) {
                 p++;
             }
         } else {
@@ -1309,8 +1314,13 @@ static char *sftp_parse_longname(const c
         }
     }
 
+    /* If we reached NULL before we got our field fail */
+    if (field != longname_field) {
+        return NULL;
+    }
+
     q = p;
-    while (! isspace(*q)) {
+    while (*q != '\0' && !isspace(*q)) {
         q++;
     }