From 5609d612ff129d90d9ca7dd5fadd4b44fb0bca9f Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Fri, 11 Sep 2020 16:09:27 +0800
Subject: [PATCH] fix to use better bounds check

---
 ...roved-parsing-in-packet_x11_open-410.patch | 88 +++++++++++++++++++
 libssh2.spec                                  | 17 ++--
 2 files changed, 100 insertions(+), 5 deletions(-)
 create mode 100644 0001-packet.c-improved-parsing-in-packet_x11_open-410.patch

diff --git a/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch b/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
new file mode 100644
index 0000000..4c76ad3
--- /dev/null
+++ b/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
@@ -0,0 +1,88 @@
+From 336bd86d2ca4030b808d76e56a0387914982e289 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 13 Sep 2019 09:45:34 -0700
+Subject: [PATCH] packet.c: improved parsing in packet_x11_open (#410)
+
+Use new API to parse data in packet_x11_open() for better bounds checking.
+---
+ src/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 49 insertions(+), 14 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index c83a68d..9897f77 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data,
+     LIBSSH2_CHANNEL *channel = x11open_state->channel;
+     int rc;
+ 
+-    (void) datalen;
+-
+     if(x11open_state->state == libssh2_NB_state_idle) {
+-        unsigned char *s = data + (sizeof("x11") - 1) + 5;
+-        x11open_state->sender_channel = _libssh2_ntohu32(s);
+-        s += 4;
+-        x11open_state->initial_window_size = _libssh2_ntohu32(s);
+-        s += 4;
+-        x11open_state->packet_size = _libssh2_ntohu32(s);
+-        s += 4;
+-        x11open_state->shost_len = _libssh2_ntohu32(s);
+-        s += 4;
+-        x11open_state->shost = s;
+-        s += x11open_state->shost_len;
+-        x11open_state->sport = _libssh2_ntohu32(s);
++
++        unsigned long offset = (sizeof("x11") - 1) + 5;
++        size_t temp_len = 0;
++        struct string_buf buf;
++        buf.data = data;
++        buf.dataptr = buf.data;
++        buf.len = datalen;
++
++        if(datalen < offset) {
++            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                           "unexpected data length");
++            failure_code = SSH_OPEN_CONNECT_FAILED;
++            goto x11_exit;
++        }
++
++        buf.dataptr += offset;
++
++        if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) {
++            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                           "unexpected sender channel size");
++            failure_code = SSH_OPEN_CONNECT_FAILED;
++            goto x11_exit;
++        }
++        if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) {
++            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                           "unexpected window size");
++            failure_code = SSH_OPEN_CONNECT_FAILED;
++            goto x11_exit;
++        }
++        if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) {
++            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                           "unexpected window size");
++            failure_code = SSH_OPEN_CONNECT_FAILED;
++            goto x11_exit;
++        }
++        if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) {
++            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                           "unexpected host size");
++            failure_code = SSH_OPEN_CONNECT_FAILED;
++            goto x11_exit;
++        }
++        x11open_state->shost_len = (uint32_t)temp_len;
++
++        if(_libssh2_get_u32(&buf, &(x11open_state->sport))) {
++            _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                           "unexpected port size");
++            failure_code = SSH_OPEN_CONNECT_FAILED;
++            goto x11_exit;
++        }
+ 
+         _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+                        "X11 Connection Received from %s:%ld on channel %lu",
+-- 
+1.8.3.1
+
diff --git a/libssh2.spec b/libssh2.spec
index f1bd8c2..e49aa01 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,15 +1,16 @@
 Name:		libssh2
 Version:	1.9.0
-Release:	4
+Release:	5
 Summary:	A library implementing the SSH2 protocol
 License:	BSD
 URL:		https://www.libssh2.org/
 Source0:	https://libssh2.org/download/libssh2-%{version}.tar.gz
 
-Patch9000:      0001-libssh2-CVE-2019-17498.patch
-Patch9001:      0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
-Patch9002:      fix-use-of-uninitialized-value-476-478.patch
-Patch9003:      fix-heap-buffer-overflow-in-kex_agree_methods.patch
+Patch0:         0001-libssh2-CVE-2019-17498.patch
+Patch1:         0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
+Patch2:         fix-use-of-uninitialized-value-476-478.patch
+Patch3:         fix-heap-buffer-overflow-in-kex_agree_methods.patch
+Patch4:         0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
 
 BuildRequires:	coreutils findutils /usr/bin/man zlib-devel
 BuildRequires:	gcc make sed openssl-devel > 1:1.0.1 openssh-server
@@ -89,6 +90,12 @@ LC_ALL=en_US.UTF-8 make -C tests check
 %{_mandir}/man3/libssh2_*.3*
 
 %changelog
+* Fri Sep 11 2020 gaihuiying <gaihuiying1@huawei.com> - 1.9.0-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix to use better bounds check
+
 * Thu Jun 4 2020 songzifeng<songzifeng1@huawei.com> - 1.9.0-4
 - Type:bugfix
 - ID:NA
-- 
Gitee