From 2a2aaed3b6c3c1dc25e35e11afcfb23f88a18510 Mon Sep 17 00:00:00 2001 From: tihmstar Date: Thu, 3 Feb 2022 19:11:36 +0100 Subject: [PATCH] NULL terminate server_sign_algorithms string (#669) files: packet.c, libssh2_priv.h notes: * Fix heap buffer overflow in _libssh2_key_sign_algorithm When allocating `session->server_sign_algorithms` which is a `char*` is is important to also allocate space for the string-terminating null byte at the end and make sure the string is actually null terminated. Without this fix, the `strchr()` call inside the `_libssh2_key_sign_algorithm` (line 1219) function will try to parse the string and go out of buffer on the last invocation. Credit: tihmstar Co-authored-by: Will Cosgrove --- src/libssh2_priv.h | 1 - src/packet.c | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h index f218a836..be16ad2e 100644 --- a/src/libssh2_priv.h +++ b/src/libssh2_priv.h @@ -642,7 +642,6 @@ struct _LIBSSH2_SESSION /* public key algorithms accepted as comma separated list */ char *server_sign_algorithms; - size_t server_sign_algorithms_len; /* key signing algorithm preferences -- NULL yields server order */ char *sign_algo_prefs; diff --git a/src/packet.c b/src/packet.c index 686be5cc..c3756a8e 100644 --- a/src/packet.c +++ b/src/packet.c @@ -665,12 +665,12 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, session->server_sign_algorithms = LIBSSH2_ALLOC(session, - value_len); + value_len + 1); if(session->server_sign_algorithms) { - session->server_sign_algorithms_len = value_len; memcpy(session->server_sign_algorithms, value, value_len); + session->server_sign_algorithms[value_len] = '\0'; } else { rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,