From bd1caefbeebdceab380a1da631c60ca02e56f774 Mon Sep 17 00:00:00 2001 From: yu_boyun <1215979730@qq.com> Date: Thu, 24 Sep 2020 10:15:57 +0800 Subject: [PATCH] fix heap-buffer-overflow in _libssh2_ntohu32 --- ...d-packet-parsing-in-packet_queue_lis.patch | 97 +++++++++++++++++++ libssh2.spec | 9 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch diff --git a/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch new file mode 100644 index 0000000..383a759 --- /dev/null +++ b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch @@ -0,0 +1,97 @@ +From 80d3ea5b413d269ec77aebbb0aabbe738ba31796 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Wed, 4 Sep 2019 12:16:52 -0700 +Subject: [PATCH] packet.c: improved packet parsing in packet_queue_listener + (#404) + +* improved bounds checking in packet_queue_listener + +file: packet.c + +notes: +improved parsing packet in packet_queue_listener +--- + src/packet.c | 63 +++++++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 43 insertions(+), 20 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 2e01bfc..c83a68d 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -85,30 +85,53 @@ packet_queue_listener(LIBSSH2_SESSION * session, unsigned char *data, + char failure_code = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; + int rc; + +- (void) datalen; +- + if(listen_state->state == libssh2_NB_state_idle) { +- unsigned char *s = data + (sizeof("forwarded-tcpip") - 1) + 5; +- listen_state->sender_channel = _libssh2_ntohu32(s); +- s += 4; ++ unsigned long offset = (sizeof("forwarded-tcpip") - 1) + 5; ++ size_t temp_len = 0; ++ struct string_buf buf; ++ buf.data = data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ ++ if(datalen < offset) { ++ return _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Unexpected packet size"); ++ } + +- listen_state->initial_window_size = _libssh2_ntohu32(s); +- s += 4; +- listen_state->packet_size = _libssh2_ntohu32(s); +- s += 4; ++ buf.dataptr += offset; + +- listen_state->host_len = _libssh2_ntohu32(s); +- s += 4; +- listen_state->host = s; +- s += listen_state->host_len; +- listen_state->port = _libssh2_ntohu32(s); +- s += 4; ++ if(_libssh2_get_u32(&buf, &(listen_state->sender_channel))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting channel"); ++ } ++ if(_libssh2_get_u32(&buf, &(listen_state->initial_window_size))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting window size"); ++ } ++ if(_libssh2_get_u32(&buf, &(listen_state->packet_size))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting packet"); ++ } ++ if(_libssh2_get_string(&buf, &(listen_state->host), &temp_len)) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting host"); ++ } ++ listen_state->host_len = (uint32_t)temp_len; + +- listen_state->shost_len = _libssh2_ntohu32(s); +- s += 4; +- listen_state->shost = s; +- s += listen_state->shost_len; +- listen_state->sport = _libssh2_ntohu32(s); ++ if(_libssh2_get_u32(&buf, &(listen_state->port))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting port"); ++ } ++ if(_libssh2_get_string(&buf, &(listen_state->shost), &temp_len)) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting shost"); ++ } ++ listen_state->shost_len = (uint32_t)temp_len; ++ ++ if(_libssh2_get_u32(&buf, &(listen_state->sport))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting sport"); ++ } + + _libssh2_debug(session, LIBSSH2_TRACE_CONN, + "Remote received connection from %s:%ld to %s:%ld", +-- +1.8.3.1 + diff --git a/libssh2.spec b/libssh2.spec index e49aa01..6bb4837 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.9.0 -Release: 5 +Release: 6 Summary: A library implementing the SSH2 protocol License: BSD URL: https://www.libssh2.org/ @@ -11,6 +11,7 @@ Patch1: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch Patch2: fix-use-of-uninitialized-value-476-478.patch Patch3: fix-heap-buffer-overflow-in-kex_agree_methods.patch Patch4: 0001-packet.c-improved-parsing-in-packet_x11_open-410.patch +Patch5: 0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch BuildRequires: coreutils findutils /usr/bin/man zlib-devel BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server @@ -90,6 +91,12 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_mandir}/man3/libssh2_*.3* %changelog +* Thu Sep 24 2020 yuboyun - 1.9.0-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix heap-buffer-overflow in _libssh2_ntohu32 + * Fri Sep 11 2020 gaihuiying - 1.9.0-5 - Type:bugfix - ID:NA -- Gitee