libssh2/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch

From 336bd86d2ca4030b808d76e56a0387914982e289 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Fri, 13 Sep 2019 09:45:34 -0700
Subject: [PATCH] packet.c: improved parsing in packet_x11_open (#410)

Use new API to parse data in packet_x11_open() for better bounds checking.
---
 src/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 49 insertions(+), 14 deletions(-)

diff --git a/src/packet.c b/src/packet.c
index c83a68d..9897f77 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data,
     LIBSSH2_CHANNEL *channel = x11open_state->channel;
     int rc;
 
-    (void) datalen;
-
     if(x11open_state->state == libssh2_NB_state_idle) {
-        unsigned char *s = data + (sizeof("x11") - 1) + 5;
-        x11open_state->sender_channel = _libssh2_ntohu32(s);
-        s += 4;
-        x11open_state->initial_window_size = _libssh2_ntohu32(s);
-        s += 4;
-        x11open_state->packet_size = _libssh2_ntohu32(s);
-        s += 4;
-        x11open_state->shost_len = _libssh2_ntohu32(s);
-        s += 4;
-        x11open_state->shost = s;
-        s += x11open_state->shost_len;
-        x11open_state->sport = _libssh2_ntohu32(s);
+
+        unsigned long offset = (sizeof("x11") - 1) + 5;
+        size_t temp_len = 0;
+        struct string_buf buf;
+        buf.data = data;
+        buf.dataptr = buf.data;
+        buf.len = datalen;
+
+        if(datalen < offset) {
+            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+                           "unexpected data length");
+            failure_code = SSH_OPEN_CONNECT_FAILED;
+            goto x11_exit;
+        }
+
+        buf.dataptr += offset;
+
+        if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) {
+            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+                           "unexpected sender channel size");
+            failure_code = SSH_OPEN_CONNECT_FAILED;
+            goto x11_exit;
+        }
+        if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) {
+            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+                           "unexpected window size");
+            failure_code = SSH_OPEN_CONNECT_FAILED;
+            goto x11_exit;
+        }
+        if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) {
+            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+                           "unexpected window size");
+            failure_code = SSH_OPEN_CONNECT_FAILED;
+            goto x11_exit;
+        }
+        if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) {
+            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+                           "unexpected host size");
+            failure_code = SSH_OPEN_CONNECT_FAILED;
+            goto x11_exit;
+        }
+        x11open_state->shost_len = (uint32_t)temp_len;
+
+        if(_libssh2_get_u32(&buf, &(x11open_state->sport))) {
+            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+                           "unexpected port size");
+            failure_code = SSH_OPEN_CONNECT_FAILED;
+            goto x11_exit;
+        }
 
         _libssh2_debug(session, LIBSSH2_TRACE_CONN,
                        "X11 Connection Received from %s:%ld on channel %lu",
-- 
1.8.3.1