From a6a9093b39824a00258f96a5301a844b4d870cdc Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 28 Mar 2024 16:59:58 +0000
Subject: [PATCH] userauth: avoid oob with huge interactive kbd response

- If the length of a response is `UINT_MAX - 3` or larger, an unsigned
  integer overflow occurs on 64-bit systems. Avoid such truncation to
  always allocate enough memory to avoid subsequent out of boundary
  writes.

  Patch-by: Tobias Stoeckmann

- also add FIXME to bump up length field to `size_t` (ABI break)

Closes #1337
---
 include/libssh2.h | 2 +-
 src/userauth.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/libssh2.h b/include/libssh2.h
index 8bc8a138..71673801 100644
--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -292,7 +292,7 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_PROMPT
 typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
 {
     char *text;
-    unsigned int length;
+    unsigned int length;  /* FIXME: change type to size_t */
 } LIBSSH2_USERAUTH_KBDINT_RESPONSE;
 
 typedef struct _LIBSSH2_SK_SIG_INFO {
diff --git a/src/userauth.c b/src/userauth.c
index 60fd48e4..43df3e15 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -2188,7 +2188,7 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
                 if(session->userauth_kybd_responses[i].length <=
                    (SIZE_MAX - 4 - session->userauth_kybd_packet_len)) {
                     session->userauth_kybd_packet_len +=
-                        4 + session->userauth_kybd_responses[i].length;
+                        4 + (size_t)session->userauth_kybd_responses[i].length;
                 }
                 else {
                     _libssh2_error(session, LIBSSH2_ERROR_ALLOC,