NULL terminate server_sign_algorithms string (#669)

files: packet.c, libssh2_priv.h notes: * Fix heap buffer overflow in _libssh2_key_sign_algorithm When allocating `session->server_sign_algorithms` which is a `char*` is is important to also allocate space for the string-terminating null byte at the end and make sure the string is actually null terminated. Without this fix, the `strchr()` call inside the `_libssh2_key_sign_algorithm` (line 1219) function will try to parse the string and go out of buffer on the last invocation. Credit: tihmstar Co-authored-by: Will Cosgrove <will@panic.com>
2025-11-21 14:00:51 +03:00 · 2022-02-03 19:11:36 +01:00
parent 30fc410b97
commit 2a2aaed3b6
2 changed files with 2 additions and 3 deletions
--- a/src/libssh2_priv.h
+++ b/src/libssh2_priv.h
@@ -642,7 +642,6 @@ struct _LIBSSH2_SESSION

    /* public key algorithms accepted as comma separated list */
    char *server_sign_algorithms;
-    size_t server_sign_algorithms_len;

    /* key signing algorithm preferences -- NULL yields server order */
    char *sign_algo_prefs;
--- a/src/packet.c
+++ b/src/packet.c
@@ -665,12 +665,12 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,

                        session->server_sign_algorithms =
                                                LIBSSH2_ALLOC(session,
-                                                              value_len);
+                                                              value_len + 1);

                        if(session->server_sign_algorithms) {
-                            session->server_sign_algorithms_len = value_len;
                            memcpy(session->server_sign_algorithms,
                                   value, value_len);
+                            session->server_sign_algorithms[value_len] = '\0';
                        }
                        else {
                            rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,