From bd1caefbeebdceab380a1da631c60ca02e56f774 Mon Sep 17 00:00:00 2001
From: yu_boyun <1215979730@qq.com>
Date: Thu, 24 Sep 2020 10:15:57 +0800
Subject: [PATCH] fix heap-buffer-overflow in _libssh2_ntohu32

---
 ...d-packet-parsing-in-packet_queue_lis.patch | 97 +++++++++++++++++++
 libssh2.spec                                  |  9 +-
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch

diff --git a/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
new file mode 100644
index 0000000..383a759
--- /dev/null
+++ b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
@@ -0,0 +1,97 @@
+From 80d3ea5b413d269ec77aebbb0aabbe738ba31796 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Wed, 4 Sep 2019 12:16:52 -0700
+Subject: [PATCH] packet.c: improved packet parsing in packet_queue_listener
+ (#404)
+
+* improved bounds checking in packet_queue_listener
+
+file: packet.c
+
+notes:
+improved parsing packet in packet_queue_listener
+---
+ src/packet.c | 63 +++++++++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 43 insertions(+), 20 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 2e01bfc..c83a68d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -85,30 +85,53 @@ packet_queue_listener(LIBSSH2_SESSION * session, unsigned char *data,
+     char failure_code = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
+     int rc;
+ 
+-    (void) datalen;
+-
+     if(listen_state->state == libssh2_NB_state_idle) {
+-        unsigned char *s = data + (sizeof("forwarded-tcpip") - 1) + 5;
+-        listen_state->sender_channel = _libssh2_ntohu32(s);
+-        s += 4;
++        unsigned long offset = (sizeof("forwarded-tcpip") - 1) + 5;
++        size_t temp_len = 0;
++        struct string_buf buf;
++        buf.data = data;
++        buf.dataptr = buf.data;
++        buf.len = datalen;
++
++        if(datalen < offset) {
++            return _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                  "Unexpected packet size");
++        }
+ 
+-        listen_state->initial_window_size = _libssh2_ntohu32(s);
+-        s += 4;
+-        listen_state->packet_size = _libssh2_ntohu32(s);
+-        s += 4;
++        buf.dataptr += offset;
+ 
+-        listen_state->host_len = _libssh2_ntohu32(s);
+-        s += 4;
+-        listen_state->host = s;
+-        s += listen_state->host_len;
+-        listen_state->port = _libssh2_ntohu32(s);
+-        s += 4;
++        if(_libssh2_get_u32(&buf, &(listen_state->sender_channel))) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting channel");
++        }
++        if(_libssh2_get_u32(&buf, &(listen_state->initial_window_size))) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting window size");
++        }
++        if(_libssh2_get_u32(&buf, &(listen_state->packet_size))) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting packet");
++        }
++        if(_libssh2_get_string(&buf, &(listen_state->host), &temp_len)) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting host");
++        }
++        listen_state->host_len = (uint32_t)temp_len;
+ 
+-        listen_state->shost_len = _libssh2_ntohu32(s);
+-        s += 4;
+-        listen_state->shost = s;
+-        s += listen_state->shost_len;
+-        listen_state->sport = _libssh2_ntohu32(s);
++        if(_libssh2_get_u32(&buf, &(listen_state->port))) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting port");
++        }
++        if(_libssh2_get_string(&buf, &(listen_state->shost), &temp_len)) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting shost");
++        }
++        listen_state->shost_len = (uint32_t)temp_len;
++
++        if(_libssh2_get_u32(&buf, &(listen_state->sport))) {
++            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++                                  "Data too short extracting sport");
++        }
+ 
+         _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+                        "Remote received connection from %s:%ld to %s:%ld",
+-- 
+1.8.3.1
+
diff --git a/libssh2.spec b/libssh2.spec
index e49aa01..6bb4837 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,6 +1,6 @@
 Name:		libssh2
 Version:	1.9.0
-Release:	5
+Release:	6
 Summary:	A library implementing the SSH2 protocol
 License:	BSD
 URL:		https://www.libssh2.org/
@@ -11,6 +11,7 @@ Patch1:         0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
 Patch2:         fix-use-of-uninitialized-value-476-478.patch
 Patch3:         fix-heap-buffer-overflow-in-kex_agree_methods.patch
 Patch4:         0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
+Patch5:		0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
 
 BuildRequires:	coreutils findutils /usr/bin/man zlib-devel
 BuildRequires:	gcc make sed openssl-devel > 1:1.0.1 openssh-server
@@ -90,6 +91,12 @@ LC_ALL=en_US.UTF-8 make -C tests check
 %{_mandir}/man3/libssh2_*.3*
 
 %changelog
+* Thu Sep 24 2020 yuboyun <yuboyun@huawei.com> - 1.9.0-6
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix heap-buffer-overflow in _libssh2_ntohu32
+
 * Fri Sep 11 2020 gaihuiying <gaihuiying1@huawei.com> - 1.9.0-5
 - Type:bugfix
 - ID:NA
-- 
Gitee