Security fixes (#315)

* Bounds checks Fixes for CVEs https://www.libssh2.org/CVE-2019-3863.html https://www.libssh2.org/CVE-2019-3856.html * Packet length bounds check CVE https://www.libssh2.org/CVE-2019-3855.html * Response length check CVE https://www.libssh2.org/CVE-2019-3859.html * Bounds check CVE https://www.libssh2.org/CVE-2019-3857.html * Bounds checking CVE https://www.libssh2.org/CVE-2019-3859.html and additional data validation * Check bounds before reading into buffers * Bounds checking CVE https://www.libssh2.org/CVE-2019-3859.html * declare SIZE_MAX and UINT_MAX if needed
2025-11-23 01:22:37 +03:00 · 2019-03-14 15:22:13 -07:00
parent e1d9bd49e4
commit dc109a7f51
8 changed files with 419 additions and 186 deletions
--- a/src/session.c
+++ b/src/session.c
@@ -774,6 +774,11 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
                                     &session->startup_req_state);
        if(rc)
            return rc;
+        
+        if(session->startup_data_len < 5) {
+            return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+                                  "Unexpected packet length");
+        }

        session->startup_service_length =
            _libssh2_ntohu32(session->startup_data + 1);