lib/libssh2
1
0
Fork 0
mirror of https://github.com/libssh2/libssh2.git synced 2025-11-21 14:00:51 +03:00
Code Activity

Fix buffer overflow during SSH_MSG_USERAUTH_BANNER (#693)

Browse Source 
File: userauth.c
Notes:
This patch fixes application crashes due to heap corruption. Turns out the null terminator is written one byte outside of the allocated area.
Credit:
Zenju
This commit is contained in:
Zenju
2022-04-25 20:49:11 +02:00
committed by GitHub
parent dd0b5b2d2b
commit dba9ad9d3d
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/userauth.c
View File

@@ -146,14 +146,14 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
return NULL;
}
banner_len = _libssh2_ntohu32(session->userauth_list_data + 1);
if(banner_len >= session->userauth_list_data_len - 5) {
if(banner_len > session->userauth_list_data_len - 5) {
LIBSSH2_FREE(session, session->userauth_list_data);
session->userauth_list_data = NULL;
_libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
"Unexpected userauth banner size");
return NULL;
}
session->userauth_banner = LIBSSH2_ALLOC(session, banner_len);
session->userauth_banner = LIBSSH2_ALLOC(session, banner_len + 1);
if(!session->userauth_banner) {
LIBSSH2_FREE(session, session->userauth_list_data);
session->userauth_list_data = NULL;
@@ -161,7 +161,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
"Unable to allocate memory for userauth_banner");
return NULL;
}
memmove(session->userauth_banner, session->userauth_list_data + 5,
memcpy(session->userauth_banner, session->userauth_list_data + 5,
banner_len);
session->userauth_banner[banner_len] = '\0';
_libssh2_debug(session, LIBSSH2_TRACE_AUTH,