53 lines
1.8 KiB
Diff
53 lines
1.8 KiB
Diff
From a6a9093b39824a00258f96a5301a844b4d870cdc Mon Sep 17 00:00:00 2001
|
|
From: Viktor Szakats <commit@vsz.me>
|
|
Date: Thu, 28 Mar 2024 16:59:58 +0000
|
|
Subject: [PATCH] userauth: avoid oob with huge interactive kbd response
|
|
|
|
- If the length of a response is `UINT_MAX - 3` or larger, an unsigned
|
|
integer overflow occurs on 64-bit systems. Avoid such truncation to
|
|
always allocate enough memory to avoid subsequent out of boundary
|
|
writes.
|
|
|
|
Patch-by: Tobias Stoeckmann
|
|
|
|
- also add FIXME to bump up length field to `size_t` (ABI break)
|
|
|
|
Closes #1337
|
|
|
|
Reference:https://github.com/libssh2/libssh2/commit/a6a9093b39824a00258f96a5301a844b4d870cdc
|
|
Conflict:NA
|
|
---
|
|
include/libssh2.h | 2 +-
|
|
src/userauth.c | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/include/libssh2.h b/include/libssh2.h
|
|
index 8bc8a138..71673801 100644
|
|
--- a/include/libssh2.h
|
|
+++ b/include/libssh2.h
|
|
@@ -292,7 +292,7 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_PROMPT
|
|
typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
|
|
{
|
|
char *text;
|
|
- unsigned int length;
|
|
+ unsigned int length; /* FIXME: change type to size_t */
|
|
} LIBSSH2_USERAUTH_KBDINT_RESPONSE;
|
|
|
|
typedef struct _LIBSSH2_SK_SIG_INFO {
|
|
diff --git a/src/userauth.c b/src/userauth.c
|
|
index 60fd48e4..43df3e15 100644
|
|
--- a/src/userauth.c
|
|
+++ b/src/userauth.c
|
|
@@ -2188,7 +2188,7 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
|
|
if(session->userauth_kybd_responses[i].length <=
|
|
(SIZE_MAX - 4 - session->userauth_kybd_packet_len)) {
|
|
session->userauth_kybd_packet_len +=
|
|
- 4 + session->userauth_kybd_responses[i].length;
|
|
+ 4 + (size_t)session->userauth_kybd_responses[i].length;
|
|
}
|
|
else {
|
|
_libssh2_error(session, LIBSSH2_ERROR_ALLOC,
|
|
--
|
|
2.33.0
|
|
|