packages/libssh2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix heap buffer overflow in kex.c

Browse Source
This commit is contained in:
orange-snn 2020-06-04 15:03:56 +08:00
parent 9ff9bfcd64
commit 64d5fa9ff4
2 changed files with 126 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
fix-heap-buffer-overflow-in-kex_agree_methods.patch Normal file
View File

@ -0,0 +1,118 @@
From 43f24eb152b8ec62473d2de6108d7c0b267b2419 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Tue, 27 Aug 2019 10:58:52 -0700
Subject: [PATCH] kex.c: improve bounds checking in kex_agree_methods() (#399)
file: kex.c
notes:
use _libssh2_get_string instead of kex_string_pair which does additional checks
---
src/kex.c | 65 ++++++++++++++++++++-----------------------------------
1 file changed, 24 insertions(+), 41 deletions(-)
diff --git a/src/kex.c b/src/kex.c
index df9a4fdd6..7b111feaa 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -3937,35 +3937,10 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
}
-
/* TODO: When in server mode we need to turn this logic on its head
* The Client gets to make the final call on "agreed methods"
*/
-/*
- * kex_string_pair() extracts a string from the packet and makes sure it fits
- * within the given packet.
- */
-static int kex_string_pair(unsigned char **sp, /* parsing position */
- unsigned char *data, /* start pointer to packet */
- size_t data_len, /* size of total packet */
- size_t *lenp, /* length of the string */
- unsigned char **strp) /* pointer to string start */
-{
- unsigned char *s = *sp;
- *lenp = _libssh2_ntohu32(s);
-
- /* the length of the string must fit within the current pointer and the
- end of the packet */
- if(*lenp > (data_len - (s - data) -4))
- return 1;
- *strp = s + 4;
- s += 4 + *lenp;
-
- *sp = s;
- return 0;
-}
-
/* kex_agree_methods
* Decide which specific method to use of the methods offered by each party
*/
@@ -3976,40 +3951,48 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
*mac_cs, *mac_sc;
size_t kex_len, hostkey_len, crypt_cs_len, crypt_sc_len, comp_cs_len;
size_t comp_sc_len, mac_cs_len, mac_sc_len;
- unsigned char *s = data;
+ struct string_buf buf;
- /* Skip packet_type, we know it already */
- s++;
+ if(data_len < 17)
+ return -1;
+
+ buf.data = (unsigned char *)data;
+ buf.len = data_len;
+ buf.dataptr = buf.data;
+ buf.dataptr++; /* advance past packet type */
/* Skip cookie, don't worry, it's preserved in the kexinit field */
- s += 16;
+ buf.dataptr += 16;
/* Locate each string */
- if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
+ if(_libssh2_get_string(&buf, &kex, &kex_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
+ if(_libssh2_get_string(&buf, &hostkey, &hostkey_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
+ if(_libssh2_get_string(&buf, &crypt_cs, &crypt_cs_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
+ if(_libssh2_get_string(&buf, &crypt_sc, &crypt_sc_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
+ if(_libssh2_get_string(&buf, &mac_cs, &mac_cs_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
+ if(_libssh2_get_string(&buf, &mac_sc, &mac_sc_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
+ if(_libssh2_get_string(&buf, &comp_cs, &comp_cs_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
+ if(_libssh2_get_string(&buf, &comp_sc, &comp_sc_len))
return -1;
/* If the server sent an optimistic packet, assume that it guessed wrong.
* If the guess is determined to be right (by kex_agree_kex_hostkey)
* This flag will be reset to zero so that it's not ignored */
- session->burn_optimistic_kexinit = *(s++);
- /* Next uint32 in packet is all zeros (reserved) */
+ if(_libssh2_check_length(&buf, 1)) {
+ session->burn_optimistic_kexinit = *(buf.dataptr++);
+ }
+ else {
+ return -1;
+ }
- if(data_len < (unsigned) (s - data))
- return -1; /* short packet */
+ /* Next uint32 in packet is all zeros (reserved) */
if(kex_agree_kex_hostkey(session, kex, kex_len, hostkey, hostkey_len)) {
return -1;

9
libssh2.spec
View File

@ -1,6 +1,6 @@
Name: libssh2 Name: libssh2
Version: 1.9.0 Version: 1.9.0
Release: 3 Release: 4
Summary: A library implementing the SSH2 protocol Summary: A library implementing the SSH2 protocol
License: BSD License: BSD
URL: https://www.libssh2.org/ URL: https://www.libssh2.org/
@ -9,6 +9,7 @@ Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz
Patch9000: 0001-libssh2-CVE-2019-17498.patch Patch9000: 0001-libssh2-CVE-2019-17498.patch
Patch9001: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch Patch9001: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
Patch9002: fix-use-of-uninitialized-value-476-478.patch Patch9002: fix-use-of-uninitialized-value-476-478.patch
Patch9003: fix-heap-buffer-overflow-in-kex_agree_methods.patch
BuildRequires: coreutils findutils /usr/bin/man zlib-devel BuildRequires: coreutils findutils /usr/bin/man zlib-devel
BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server
@ -88,6 +89,12 @@ LC_ALL=en_US.UTF-8 make -C tests check
%{_mandir}/man3/libssh2_*.3* %{_mandir}/man3/libssh2_*.3*
%changelog %changelog
* Sat June 4 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-4
- Type:bugfix
- Id:NA
- SUG:NA
- DESC: fix heap buffer overflow in kex.c
* Sat May 30 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-3 * Sat May 30 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-3
- Type:bugfix - Type:bugfix
- Id:NA - Id:NA