!8 fix heap buffer overflow in kex.c

Merge pull request !8 from songzifeng/master
2020-06-04 18:58:59 +08:00 · 2020-06-04 18:58:59 +08:00 · 0c9822b8d2
commit 0c9822b8d2
parent 9ff9bfcd64 84d63c959c
2 changed files with 129 additions and 3 deletions
--- a/fix-heap-buffer-overflow-in-kex_agree_methods.patch
+++ b/fix-heap-buffer-overflow-in-kex_agree_methods.patch
@ -0,0 +1,119 @@
+From 43f24eb152b8ec62473d2de6108d7c0b267b2419 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Tue, 27 Aug 2019 10:58:52 -0700
+Subject: [PATCH] kex.c: improve bounds checking in kex_agree_methods() (#399)
+
+file: kex.c
+
+notes:
+use _libssh2_get_string instead of kex_string_pair which does additional checks
+---
+ src/kex.c | 65 ++++++++++++++++++++-----------------------------------
+ 1 file changed, 24 insertions(+), 41 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index df9a4fdd6..7b111feaa 100644
+--- a/src/kex.c
+++ b/src/kex.c
+@@ -3937,35 +3937,10 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ }
+
+
+-
+ /* TODO: When in server mode we need to turn this logic on its head
+  * The Client gets to make the final call on "agreed methods"
+  */
+
+-/*
+- * kex_string_pair() extracts a string from the packet and makes sure it fits
+- * within the given packet.
+- */
+-static int kex_string_pair(unsigned char **sp,   /* parsing position */
+-                           unsigned char *data,  /* start pointer to packet */
+-                           size_t data_len,      /* size of total packet */
+-                           size_t *lenp,         /* length of the string */
+-                           unsigned char **strp) /* pointer to string start */
+-{
+-    unsigned char *s = *sp;
+-    *lenp = _libssh2_ntohu32(s);
+-
+-    /* the length of the string must fit within the current pointer and the
+-       end of the packet */
+-    if(*lenp > (data_len - (s - data) -4))
+-        return 1;
+-    *strp = s + 4;
+-    s += 4 + *lenp;
+-
+-    *sp = s;
+-    return 0;
+-}
+-
+ /* kex_agree_methods
+  * Decide which specific method to use of the methods offered by each party
+  */
+@@ -3976,40 +3951,48 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+         *mac_cs, *mac_sc;
+     size_t kex_len, hostkey_len, crypt_cs_len, crypt_sc_len, comp_cs_len;
+     size_t comp_sc_len, mac_cs_len, mac_sc_len;
+-    unsigned char *s = data;
+    struct string_buf buf;
+
+-    /* Skip packet_type, we know it already */
+-    s++;
+    if(data_len < 17)
+        return -1;
+
+    buf.data = (unsigned char *)data;
+    buf.len = data_len;
+    buf.dataptr = buf.data;
+    buf.dataptr++; /* advance past packet type */
+
+     /* Skip cookie, don't worry, it's preserved in the kexinit field */
+-    s += 16;
+    buf.dataptr += 16;
+
+     /* Locate each string */
+-    if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
+    if(_libssh2_get_string(&buf, &kex, &kex_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
+    if(_libssh2_get_string(&buf, &hostkey, &hostkey_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
+    if(_libssh2_get_string(&buf, &crypt_cs, &crypt_cs_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
+    if(_libssh2_get_string(&buf, &crypt_sc, &crypt_sc_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
+    if(_libssh2_get_string(&buf, &mac_cs, &mac_cs_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
+    if(_libssh2_get_string(&buf, &mac_sc, &mac_sc_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
+    if(_libssh2_get_string(&buf, &comp_cs, &comp_cs_len))
+         return -1;
+-    if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
+    if(_libssh2_get_string(&buf, &comp_sc, &comp_sc_len))
+         return -1;
+
+     /* If the server sent an optimistic packet, assume that it guessed wrong.
+      * If the guess is determined to be right (by kex_agree_kex_hostkey)
+      * This flag will be reset to zero so that it's not ignored */
+-    session->burn_optimistic_kexinit = *(s++);
+-    /* Next uint32 in packet is all zeros (reserved) */
+    if(_libssh2_check_length(&buf, 1)) {
+        session->burn_optimistic_kexinit = *(buf.dataptr++);
+    }
+    else {
+        return -1;
+    }
+
+-    if(data_len < (unsigned) (s - data))
+-        return -1;              /* short packet */
+    /* Next uint32 in packet is all zeros (reserved) */
+
+     if(kex_agree_kex_hostkey(session, kex, kex_len, hostkey, hostkey_len)) {
+         return -1;
+
--- a/libssh2.spec
+++ b/libssh2.spec
@ -1,6 +1,6 @@
 Name:		libssh2
 Version:	1.9.0
-Release:	3
+Release:	4
 Summary:	A library implementing the SSH2 protocol
 License:	BSD
 URL:		https://www.libssh2.org/
@ -9,6 +9,7 @@ Source0:	https://libssh2.org/download/libssh2-%{version}.tar.gz
 Patch9000:      0001-libssh2-CVE-2019-17498.patch
 Patch9001:      0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
 Patch9002:      fix-use-of-uninitialized-value-476-478.patch
+Patch9003:      fix-heap-buffer-overflow-in-kex_agree_methods.patch

 BuildRequires:	coreutils findutils /usr/bin/man zlib-devel
 BuildRequires:	gcc make sed openssl-devel > 1:1.0.1 openssh-server
@ -88,11 +89,17 @@ LC_ALL=en_US.UTF-8 make -C tests check
 %{_mandir}/man3/libssh2_*.3*

 %changelog
+* Thu Jun 4 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix heap buffer overflow in kex.c
+
 * Sat May 30 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-3
 - Type:bugfix
- Id:NA
+- ID:NA
 - SUG:NA
- DESC: fix use of uninitialized value in transport.c
+- DESC:fix use of uninitialized value in transport.c

 * Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.9.0-2
 - Type:bugfix