Overview

File CVE-2015-3146-Prevent-null-pointer-dereference.patch of Package libssh.openSUSE_13.1_Update

From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 15 Apr 2015 16:08:37 +0200
Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers

The state validation in the packet handlers for SSH_MSG_NEWKEYS and
SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.

The issue has been found and reported by Mariusz Ziule.

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/client.c | 4 ++--
 src/server.c | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

Index: libssh-0.5.5/src/client.c
===================================================================
--- libssh-0.5.5.orig/src/client.c
+++ libssh-0.5.5/src/client.c
@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply)
   (void)type;
   (void)user;
   ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
-  if(session->session_state!= SSH_SESSION_STATE_DH &&
+  if(session->session_state!= SSH_SESSION_STATE_DH ||
     		session->dh_handshake_state != DH_STATE_INIT_SENT){
     	ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d",
     			session->session_state,session->dh_handshake_state);
@@ -246,7 +246,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
   (void)user;
   (void)type;
   ssh_log(session, SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
-  if(session->session_state!= SSH_SESSION_STATE_DH &&
+  if (session->session_state != SSH_SESSION_STATE_DH ||
   		session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){
   	ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d",
   			session->session_state,session->dh_handshake_state);
Index: libssh-0.5.5/src/server.c
===================================================================
--- libssh-0.5.5.orig/src/server.c
+++ libssh-0.5.5/src/server.c
@@ -133,6 +133,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_ini
   ssh_log(session,SSH_LOG_PACKET,"Received SSH_MSG_KEXDH_INIT");
   if(session->dh_handshake_state != DH_STATE_INIT){
     ssh_log(session,SSH_LOG_RARE,"Invalid state for SSH_MSG_KEXDH_INIT");
+    session->session_state=SSH_SESSION_STATE_ERROR;
     goto error;
   }
   e = buffer_get_ssh_string(packet);
Index: libssh-0.5.5/src/buffer.c
===================================================================
--- libssh-0.5.5.orig/src/buffer.c
+++ libssh-0.5.5/src/buffer.c
@@ -188,6 +188,9 @@ int buffer_reinit(struct ssh_buffer_stru
 int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) {
   buffer_verify(buffer);
 
+  if (data == NULL){
+      return -1;
+  }
   if (buffer->used + len < len)
     return -1;
 
@@ -220,6 +223,9 @@ int buffer_add_ssh_string(struct ssh_buf
     struct ssh_string_struct *string) {
   uint32_t len = 0;
 
+  if (string == NULL){
+      return -1;
+  }
   len = ssh_string_len(string);
   if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {
     return -1;
openSUSE Build Service is sponsored by
Places