File libssh2_org-CVE-2019-3859.patch of Package libssh2_org.13039
Index: libssh2-1.8.0/src/channel.c
===================================================================
--- libssh2-1.8.0.orig/src/channel.c
+++ libssh2-1.8.0/src/channel.c
@@ -238,7 +238,20 @@ _libssh2_channel_open(LIBSSH2_SESSION *
goto channel_error;
}
+ if(session->open_data_len < 1) {
+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet size");
+ goto channel_error;
+ }
+
if (session->open_data[0] == SSH_MSG_CHANNEL_OPEN_CONFIRMATION) {
+
+ if(session->open_data_len < 17) {
+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet size");
+ goto channel_error;
+ }
+
session->open_channel->remote.id =
_libssh2_ntohu32(session->open_data + 5);
session->open_channel->local.window_size =
@@ -518,7 +531,7 @@ channel_forward_listen(LIBSSH2_SESSION *
if (rc == LIBSSH2_ERROR_EAGAIN) {
_libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block");
return NULL;
- } else if (rc) {
+ } else if (rc || data_len < 1) {
_libssh2_error(session, LIBSSH2_ERROR_PROTO, "Unknown");
session->fwdLstn_state = libssh2_NB_state_idle;
return NULL;
@@ -855,6 +868,11 @@ static int channel_setenv(LIBSSH2_CHANNE
channel->setenv_state = libssh2_NB_state_idle;
return rc;
}
+ else if(data_len < 1) {
+ channel->setenv_state = libssh2_NB_state_idle;
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet size");
+ }
if (data[0] == SSH_MSG_CHANNEL_SUCCESS) {
LIBSSH2_FREE(session, data);
@@ -971,7 +989,7 @@ static int channel_request_pty(LIBSSH2_C
&channel->reqPTY_packet_requirev_state);
if (rc == LIBSSH2_ERROR_EAGAIN) {
return rc;
- } else if (rc) {
+ } else if (rc || data_len < 1) {
channel->reqPTY_state = libssh2_NB_state_idle;
return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
"Failed to require the PTY package");
@@ -1197,7 +1215,7 @@ channel_x11_req(LIBSSH2_CHANNEL *channel
&channel->reqX11_packet_requirev_state);
if (rc == LIBSSH2_ERROR_EAGAIN) {
return rc;
- } else if (rc) {
+ } else if (rc || data_len < 1) {
channel->reqX11_state = libssh2_NB_state_idle;
return _libssh2_error(session, rc,
"waiting for x11-req response packet");
@@ -1324,7 +1342,7 @@ _libssh2_channel_process_startup(LIBSSH2
&channel->process_packet_requirev_state);
if (rc == LIBSSH2_ERROR_EAGAIN) {
return rc;
- } else if (rc) {
+ } else if (rc || data_len < 1) {
channel->process_state = libssh2_NB_state_end;
return _libssh2_error(session, rc,
"Failed waiting for channel success");
Index: libssh2-1.8.0/src/kex.c
===================================================================
--- libssh2-1.8.0.orig/src/kex.c
+++ libssh2-1.8.0/src/kex.c
@@ -228,11 +228,23 @@ static int diffie_hellman_sha1(LIBSSH2_S
}
/* Parse KEXDH_REPLY */
+ if(exchange_state->s_packet_len < 5) {
+ ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet length");
+ goto clean_exit;
+ }
+
exchange_state->s = exchange_state->s_packet + 1;
session->server_hostkey_len = _libssh2_ntohu32(exchange_state->s);
exchange_state->s += 4;
+ if(session->server_hostkey_len > exchange_state->s_packet_len - 5) {
+ ret = _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+ "Host key length out of bounds");
+ goto clean_exit;
+ }
+
if (session->server_hostkey)
LIBSSH2_FREE(session, session->server_hostkey);
@@ -848,11 +860,23 @@ static int diffie_hellman_sha256(LIBSSH2
}
/* Parse KEXDH_REPLY */
+ if(exchange_state->s_packet_len < 5) {
+ ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet length");
+ goto clean_exit;
+ }
+
exchange_state->s = exchange_state->s_packet + 1;
session->server_hostkey_len = _libssh2_ntohu32(exchange_state->s);
exchange_state->s += 4;
+ if(session->server_hostkey_len > exchange_state->s_packet_len - 5) {
+ ret = _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+ "Host key length out of bounds");
+ goto clean_exit;
+ }
+
if (session->server_hostkey)
LIBSSH2_FREE(session, session->server_hostkey);
Index: libssh2-1.8.0/src/session.c
===================================================================
--- libssh2-1.8.0.orig/src/session.c
+++ libssh2-1.8.0/src/session.c
@@ -765,6 +765,11 @@ session_startup(LIBSSH2_SESSION *session
if (rc)
return rc;
+ if(session->startup_data_len < 5) {
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet length");
+ }
+
session->startup_service_length =
_libssh2_ntohu32(session->startup_data + 1);
Index: libssh2-1.8.0/src/userauth.c
===================================================================
--- libssh2-1.8.0.orig/src/userauth.c
+++ libssh2-1.8.0/src/userauth.c
@@ -107,7 +107,7 @@ static char *userauth_list(LIBSSH2_SESSI
LIBSSH2_FREE(session, session->userauth_list_data);
session->userauth_list_data = NULL;
- if (rc) {
+ if (rc || (session->userauth_list_data_len < 1)) {
_libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND,
"Unable to send userauth-none request");
session->userauth_list_state = libssh2_NB_state_idle;
@@ -143,8 +143,20 @@ static char *userauth_list(LIBSSH2_SESSI
return NULL;
}
- methods_len = _libssh2_ntohu32(session->userauth_list_data + 1);
+ if(session->userauth_list_data_len < 5) {
+ LIBSSH2_FREE(session, session->userauth_list_data);
+ session->userauth_list_data = NULL;
+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet size");
+ return NULL;
+ }
+ methods_len = _libssh2_ntohu32(session->userauth_list_data + 1);
+ if(methods_len >= session->userauth_list_data_len - 5) {
+ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+ "Unexpected userauth list size");
+ return NULL;
+ }
/* Do note that the memory areas overlap! */
memmove(session->userauth_list_data, session->userauth_list_data + 5,
methods_len);
@@ -285,6 +297,11 @@ userauth_password(LIBSSH2_SESSION *sessi
return _libssh2_error(session, rc,
"Waiting for password response");
}
+ else if(session->userauth_pswd_data_len < 1) {
+ session->userauth_pswd_state = libssh2_NB_state_idle;
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet size");
+ }
if (session->userauth_pswd_data[0] == SSH_MSG_USERAUTH_SUCCESS) {
_libssh2_debug(session, LIBSSH2_TRACE_AUTH,
@@ -312,6 +329,12 @@ userauth_password(LIBSSH2_SESSION *sessi
session->userauth_pswd_state = libssh2_NB_state_sent1;
}
+ if(session->userauth_pswd_data_len < 1) {
+ session->userauth_pswd_state = libssh2_NB_state_idle;
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "Unexpected packet size");
+ }
+
if ((session->userauth_pswd_data[0] ==
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ)
|| (session->userauth_pswd_data0 ==
@@ -976,7 +999,7 @@ userauth_hostbased_fromfile(LIBSSH2_SESS
}
session->userauth_host_state = libssh2_NB_state_idle;
- if (rc) {
+ if (rc || data_len < 1) {
return _libssh2_error(session, LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED,
"Auth failed");
}
@@ -1149,7 +1172,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESS
NULL, 0);
if (rc == LIBSSH2_ERROR_EAGAIN)
return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block");
- else if (rc) {
+ else if (rc || (session->userauth_pblc_data_len < 1)) {
LIBSSH2_FREE(session, session->userauth_pblc_packet);
session->userauth_pblc_packet = NULL;
LIBSSH2_FREE(session, session->userauth_pblc_method);
@@ -1332,7 +1355,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESS
if (rc == LIBSSH2_ERROR_EAGAIN) {
return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN,
"Would block requesting userauth list");
- } else if (rc) {
+ } else if (rc || session->userauth_pblc_data_len < 1) {
session->userauth_pblc_state = libssh2_NB_state_idle;
return _libssh2_error(session, LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED,
"Waiting for publickey USERAUTH response");
@@ -1654,7 +1677,7 @@ userauth_keyboard_interactive(LIBSSH2_SE
if (rc == LIBSSH2_ERROR_EAGAIN) {
return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN,
"Would block");
- } else if (rc) {
+ } else if (rc || session->userauth_kybd_data_len < 1) {
session->userauth_kybd_state = libssh2_NB_state_idle;
return _libssh2_error(session,
LIBSSH2_ERROR_AUTHENTICATION_FAILED,
