fix heap-buffer-overflow in _libssh2_ntohu32

2020-09-24 10:10:24 +08:00 · 2020-09-24 10:10:24 +08:00 · e1fa84d878
commit e1fa84d878
parent 6bddafafd8
2 changed files with 105 additions and 1 deletions
--- a/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
+++ b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
@ -0,0 +1,97 @@
+From 80d3ea5b413d269ec77aebbb0aabbe738ba31796 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Wed, 4 Sep 2019 12:16:52 -0700
+Subject: [PATCH] packet.c: improved packet parsing in packet_queue_listener
+ (#404)
+
+* improved bounds checking in packet_queue_listener
+
+file: packet.c
+
+notes:
+improved parsing packet in packet_queue_listener
+---
+ src/packet.c | 63 +++++++++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 43 insertions(+), 20 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 2e01bfc..c83a68d 100644
+--- a/src/packet.c
+++ b/src/packet.c
+@@ -85,30 +85,53 @@ packet_queue_listener(LIBSSH2_SESSION * session, unsigned char *data,
+     char failure_code = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
+     int rc;
+ 
+-    (void) datalen;
+-
+     if(listen_state->state == libssh2_NB_state_idle) {
+-        unsigned char *s = data + (sizeof("forwarded-tcpip") - 1) + 5;
+-        listen_state->sender_channel = _libssh2_ntohu32(s);
+-        s += 4;
+        unsigned long offset = (sizeof("forwarded-tcpip") - 1) + 5;
+        size_t temp_len = 0;
+        struct string_buf buf;
+        buf.data = data;
+        buf.dataptr = buf.data;
+        buf.len = datalen;
+
+        if(datalen < offset) {
+            return _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+                                  "Unexpected packet size");
+        }
+ 
+-        listen_state->initial_window_size = _libssh2_ntohu32(s);
+-        s += 4;
+-        listen_state->packet_size = _libssh2_ntohu32(s);
+-        s += 4;
+        buf.dataptr += offset;
+ 
+-        listen_state->host_len = _libssh2_ntohu32(s);
+-        s += 4;
+-        listen_state->host = s;
+-        s += listen_state->host_len;
+-        listen_state->port = _libssh2_ntohu32(s);
+-        s += 4;
+        if(_libssh2_get_u32(&buf, &(listen_state->sender_channel))) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting channel");
+        }
+        if(_libssh2_get_u32(&buf, &(listen_state->initial_window_size))) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting window size");
+        }
+        if(_libssh2_get_u32(&buf, &(listen_state->packet_size))) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting packet");
+        }
+        if(_libssh2_get_string(&buf, &(listen_state->host), &temp_len)) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting host");
+        }
+        listen_state->host_len = (uint32_t)temp_len;
+ 
+-        listen_state->shost_len = _libssh2_ntohu32(s);
+-        s += 4;
+-        listen_state->shost = s;
+-        s += listen_state->shost_len;
+-        listen_state->sport = _libssh2_ntohu32(s);
+        if(_libssh2_get_u32(&buf, &(listen_state->port))) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting port");
+        }
+        if(_libssh2_get_string(&buf, &(listen_state->shost), &temp_len)) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting shost");
+        }
+        listen_state->shost_len = (uint32_t)temp_len;
+
+        if(_libssh2_get_u32(&buf, &(listen_state->sport))) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Data too short extracting sport");
+        }
+ 
+         _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+                        "Remote received connection from %s:%ld to %s:%ld",
+-- 
+1.8.3.1
+
--- a/libssh2.spec
+++ b/libssh2.spec
@ -1,6 +1,6 @@
 Name:		libssh2
 Version:	1.9.0
-Release:	5
+Release:	6
 Summary:	A library implementing the SSH2 protocol
 License:	BSD
 URL:		https://www.libssh2.org/
@ -11,6 +11,7 @@ Patch1:         0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
 Patch2:         fix-use-of-uninitialized-value-476-478.patch
 Patch3:         fix-heap-buffer-overflow-in-kex_agree_methods.patch
 Patch4:         0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
+Patch5:		0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch

 BuildRequires:	coreutils findutils /usr/bin/man zlib-devel
 BuildRequires:	gcc make sed openssl-devel > 1:1.0.1 openssh-server
@ -90,6 +91,12 @@ LC_ALL=en_US.UTF-8 make -C tests check
 %{_mandir}/man3/libssh2_*.3*

 %changelog
+* Thu Sep 24 2020 yuboyun <yuboyun@huawei.com> - 1.9.0-6
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix heap-buffer-overflow in _libssh2_ntohu32
+
 * Fri Sep 11 2020 gaihuiying <gaihuiying1@huawei.com> - 1.9.0-5
 - Type:bugfix
 - ID:NA