fix to use better bounds check
This commit is contained in:
eaglegai
parent
8cb5380486
commit
5609d612ff
88
0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
Normal file
88
0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
From 336bd86d2ca4030b808d76e56a0387914982e289 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Will Cosgrove <will@panic.com>
|
||||||
|
Date: Fri, 13 Sep 2019 09:45:34 -0700
|
||||||
|
Subject: [PATCH] packet.c: improved parsing in packet_x11_open (#410)
|
||||||
|
|
||||||
|
Use new API to parse data in packet_x11_open() for better bounds checking.
|
||||||
|
---
|
||||||
|
src/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++--------------
|
||||||
|
1 file changed, 49 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/packet.c b/src/packet.c
|
||||||
|
index c83a68d..9897f77 100644
|
||||||
|
--- a/src/packet.c
|
||||||
|
+++ b/src/packet.c
|
||||||
|
@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data,
|
||||||
|
LIBSSH2_CHANNEL *channel = x11open_state->channel;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- (void) datalen;
|
||||||
|
-
|
||||||
|
if(x11open_state->state == libssh2_NB_state_idle) {
|
||||||
|
- unsigned char *s = data + (sizeof("x11") - 1) + 5;
|
||||||
|
- x11open_state->sender_channel = _libssh2_ntohu32(s);
|
||||||
|
- s += 4;
|
||||||
|
- x11open_state->initial_window_size = _libssh2_ntohu32(s);
|
||||||
|
- s += 4;
|
||||||
|
- x11open_state->packet_size = _libssh2_ntohu32(s);
|
||||||
|
- s += 4;
|
||||||
|
- x11open_state->shost_len = _libssh2_ntohu32(s);
|
||||||
|
- s += 4;
|
||||||
|
- x11open_state->shost = s;
|
||||||
|
- s += x11open_state->shost_len;
|
||||||
|
- x11open_state->sport = _libssh2_ntohu32(s);
|
||||||
|
+
|
||||||
|
+ unsigned long offset = (sizeof("x11") - 1) + 5;
|
||||||
|
+ size_t temp_len = 0;
|
||||||
|
+ struct string_buf buf;
|
||||||
|
+ buf.data = data;
|
||||||
|
+ buf.dataptr = buf.data;
|
||||||
|
+ buf.len = datalen;
|
||||||
|
+
|
||||||
|
+ if(datalen < offset) {
|
||||||
|
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
+ "unexpected data length");
|
||||||
|
+ failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
+ goto x11_exit;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ buf.dataptr += offset;
|
||||||
|
+
|
||||||
|
+ if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) {
|
||||||
|
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
+ "unexpected sender channel size");
|
||||||
|
+ failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
+ goto x11_exit;
|
||||||
|
+ }
|
||||||
|
+ if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) {
|
||||||
|
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
+ "unexpected window size");
|
||||||
|
+ failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
+ goto x11_exit;
|
||||||
|
+ }
|
||||||
|
+ if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) {
|
||||||
|
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
+ "unexpected window size");
|
||||||
|
+ failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
+ goto x11_exit;
|
||||||
|
+ }
|
||||||
|
+ if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) {
|
||||||
|
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
+ "unexpected host size");
|
||||||
|
+ failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
+ goto x11_exit;
|
||||||
|
+ }
|
||||||
|
+ x11open_state->shost_len = (uint32_t)temp_len;
|
||||||
|
+
|
||||||
|
+ if(_libssh2_get_u32(&buf, &(x11open_state->sport))) {
|
||||||
|
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
+ "unexpected port size");
|
||||||
|
+ failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
+ goto x11_exit;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
|
||||||
|
"X11 Connection Received from %s:%ld on channel %lu",
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
||||||
17
libssh2.spec
17
libssh2.spec
@ -1,15 +1,16 @@
|
|||||||
Name: libssh2
|
Name: libssh2
|
||||||
Version: 1.9.0
|
Version: 1.9.0
|
||||||
Release: 4
|
Release: 5
|
||||||
Summary: A library implementing the SSH2 protocol
|
Summary: A library implementing the SSH2 protocol
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://www.libssh2.org/
|
URL: https://www.libssh2.org/
|
||||||
Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz
|
Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz
|
||||||
|
|
||||||
Patch9000: 0001-libssh2-CVE-2019-17498.patch
|
Patch0: 0001-libssh2-CVE-2019-17498.patch
|
||||||
Patch9001: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
|
Patch1: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
|
||||||
Patch9002: fix-use-of-uninitialized-value-476-478.patch
|
Patch2: fix-use-of-uninitialized-value-476-478.patch
|
||||||
Patch9003: fix-heap-buffer-overflow-in-kex_agree_methods.patch
|
Patch3: fix-heap-buffer-overflow-in-kex_agree_methods.patch
|
||||||
|
Patch4: 0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
|
||||||
|
|
||||||
BuildRequires: coreutils findutils /usr/bin/man zlib-devel
|
BuildRequires: coreutils findutils /usr/bin/man zlib-devel
|
||||||
BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server
|
BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server
|
||||||
@ -89,6 +90,12 @@ LC_ALL=en_US.UTF-8 make -C tests check
|
|||||||
%{_mandir}/man3/libssh2_*.3*
|
%{_mandir}/man3/libssh2_*.3*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 11 2020 gaihuiying <gaihuiying1@huawei.com> - 1.9.0-5
|
||||||
|
- Type:bugfix
|
||||||
|
- ID:NA
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:fix to use better bounds check
|
||||||
|
|
||||||
* Thu Jun 4 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-4
|
* Thu Jun 4 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-4
|
||||||
- Type:bugfix
|
- Type:bugfix
|
||||||
- ID:NA
|
- ID:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user