lib/libssh2
1
0
Fork 0
mirror of https://github.com/libssh2/libssh2.git synced 2025-08-07 08:02:56 +03:00
Code Activity

userauth: avoid oob with huge interactive kbd response

Browse Source 
- If the length of a response is `UINT_MAX - 3` or larger, an unsigned
  integer overflow occurs on 64-bit systems. Avoid such truncation to
  always allocate enough memory to avoid subsequent out of boundary
  writes.

  Patch-by: Tobias Stoeckmann

- also add FIXME to bump up length field to `size_t` (ABI break)

Closes #1337
This commit is contained in:
Viktor Szakats
2024-03-28 16:59:58 +00:00
parent bde10825f1
commit a6a9093b39
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/libssh2.h
View File

@@ -292,7 +292,7 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_PROMPT
typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
{ {
char *text; char *text;
unsigned int length; unsigned int length; /* FIXME: change type to size_t */
} LIBSSH2_USERAUTH_KBDINT_RESPONSE; } LIBSSH2_USERAUTH_KBDINT_RESPONSE;
typedef struct _LIBSSH2_SK_SIG_INFO { typedef struct _LIBSSH2_SK_SIG_INFO {

2
src/userauth.c
View File

@@ -2188,7 +2188,7 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
if(session->userauth_kybd_responses[i].length <= if(session->userauth_kybd_responses[i].length <=
(SIZE_MAX - 4 - session->userauth_kybd_packet_len)) { (SIZE_MAX - 4 - session->userauth_kybd_packet_len)) {
session->userauth_kybd_packet_len += session->userauth_kybd_packet_len +=
4 + session->userauth_kybd_responses[i].length; 4 + (size_t)session->userauth_kybd_responses[i].length;
} }
else { else {
_libssh2_error(session, LIBSSH2_ERROR_ALLOC, _libssh2_error(session, LIBSSH2_ERROR_ALLOC,