diff --git a/CVE-2020-16135-1.patch b/CVE-2020-16135-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a61c5103c7c90aac6f2e313cafe30e948e3b79f3
--- /dev/null
+++ b/CVE-2020-16135-1.patch
@@ -0,0 +1,36 @@
+From 72ca8cc3eceb732c777dfd66e1441f0b34c655a8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:04:09 +0200
+Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new()
+
+Thanks to Ramin Farajpour Cami for spotting this.
+
+Fixes T232
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/sftpserver.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 5a2110e..b639a2c 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+ 
+   /* take a copy of the whole packet */
+   msg->complete_message = ssh_buffer_new();
++  if (msg->complete_message == NULL) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
++
+   ssh_buffer_add_data(msg->complete_message,
+                       ssh_buffer_get(payload),
+                       ssh_buffer_get_len(payload));
+-- 
+2.23.0
+
diff --git a/CVE-2020-16135-2.patch b/CVE-2020-16135-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2da3e120423d046c47b1beefb891c5b273ba0ad7
--- /dev/null
+++ b/CVE-2020-16135-2.patch
@@ -0,0 +1,38 @@
+From c7b21bfbcd41205d93492a792c973643c94d3079 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:05:51 +0200
+Subject: [PATCH 2/4] sftpserver: Add missing return check for
+ ssh_buffer_add_data()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/sftpserver.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index b639a2c..9117f15 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+       return NULL;
+   }
+ 
+-  ssh_buffer_add_data(msg->complete_message,
+-                      ssh_buffer_get(payload),
+-                      ssh_buffer_get_len(payload));
++  rc = ssh_buffer_add_data(msg->complete_message,
++                           ssh_buffer_get(payload),
++                           ssh_buffer_get_len(payload));
++  if (rc < 0) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
+ 
+   ssh_buffer_get_u32(payload, &msg->id);
+ 
+-- 
+2.23.0
+
diff --git a/CVE-2020-16135-3.patch b/CVE-2020-16135-3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0ebce074f99f06f41aaddc70e973809c0828feba
--- /dev/null
+++ b/CVE-2020-16135-3.patch
@@ -0,0 +1,66 @@
+From dafd55eda0093a2201ad847532b9c55af2a01247 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:10:11 +0200
+Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/buffer.c | 35 ++++++++++++++++++-----------------
+ 1 file changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index a2e6246..476bc13 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
+-  buffer_verify(buffer);
++    buffer_verify(buffer);
+ 
+-  if (data == NULL) {
+-      return -1;
+-  }
++    if (data == NULL) {
++        return -1;
++    }
+ 
+-  if (buffer->used + len < len) {
+-    return -1;
+-  }
++    if (buffer->used + len < len) {
++        return -1;
++    }
+ 
+-  if (buffer->allocated < (buffer->used + len)) {
+-    if(buffer->pos > 0)
+-      buffer_shift(buffer);
+-    if (realloc_buffer(buffer, buffer->used + len) < 0) {
+-      return -1;
++    if (buffer->allocated < (buffer->used + len)) {
++        if (buffer->pos > 0) {
++            buffer_shift(buffer);
++        }
++        if (realloc_buffer(buffer, buffer->used + len) < 0) {
++            return -1;
++        }
+     }
+-  }
+ 
+-  memcpy(buffer->data+buffer->used, data, len);
+-  buffer->used+=len;
+-  buffer_verify(buffer);
+-  return 0;
++    memcpy(buffer->data + buffer->used, data, len);
++    buffer->used += len;
++    buffer_verify(buffer);
++    return 0;
+ }
+ 
+ /**
+-- 
+2.23.0
+
diff --git a/CVE-2020-16135-4.patch b/CVE-2020-16135-4.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bdd8eb8578ae416c303fc5eea1102bc8a7ceccba
--- /dev/null
+++ b/CVE-2020-16135-4.patch
@@ -0,0 +1,30 @@
+From 7a4b7eec9a2921ba275be500e05f436ee8ace198 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:11:21 +0200
+Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/buffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 476bc13..ce12f49 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
++    if (buffer == NULL) {
++        return -1;
++    }
++
+     buffer_verify(buffer);
+ 
+     if (data == NULL) {
+-- 
+2.23.0
+
diff --git a/libssh.spec b/libssh.spec
index f966057922f011d08027ff96a75be3515aea5652..fbed4d61299bd1021422b39d92119389ab1ba2ad 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.9.4
-Release:        1
+Release:        2
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -10,6 +10,10 @@ Source1:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 
 Patch1:         libssh-0.9.4-fix-version.patch
+Patch2:         CVE-2020-16135-1.patch
+Patch3:         CVE-2020-16135-2.patch
+Patch4:         CVE-2020-16135-3.patch
+Patch5:         CVE-2020-16135-4.patch
 
 BuildRequires:  cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel
 BuildRequires:  krb5-devel libcmocka-devel openssh-clients openssh-server
@@ -96,6 +100,12 @@ popd
 %doc ChangeLog README
 
 %changelog
+* Thu Aug 6 2020 zhaowei <zhaowei23@huawei.com> - 0.9.4-2
+- Type:CVE
+- Id:CVE-2020-16135
+- SUG:NA
+- DESC:fix CVE-2020-16135
+
 * Mon Apr 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.9.4-1
 - Type:bugfix
 - Id:NA