-
Notifications
You must be signed in to change notification settings - Fork 10
/
CVE-2015-1782.patch
114 lines (106 loc) · 3.83 KB
/
CVE-2015-1782.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
From dd57ee000d2241274ef46ad5e08802c35ba0eb2c Mon Sep 17 00:00:00 2001
From: Mariusz Ziulek <[email protected]>
Date: Sat, 21 Feb 2015 23:31:36 +0100
Subject: [PATCH] kex: bail out on rubbish in the incoming packet
CVE-2015-1782
Bug: https://www.libssh2.org/adv_20150311.html
---
src/kex.c | 73 +++++++++++++++++++++++++++++++++++----------------------------
1 file changed, 41 insertions(+), 32 deletions(-)
diff --git a/src/kex.c b/src/kex.c
index fa4c4e1..ad7498a 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
/* TODO: When in server mode we need to turn this logic on its head
* The Client gets to make the final call on "agreed methods"
*/
+/*
+ * kex_string_pair() extracts a string from the packet and makes sure it fits
+ * within the given packet.
+ */
+static int kex_string_pair(unsigned char **sp, /* parsing position */
+ unsigned char *data, /* start pointer to packet */
+ size_t data_len, /* size of total packet */
+ size_t *lenp, /* length of the string */
+ unsigned char **strp) /* pointer to string start */
+{
+ unsigned char *s = *sp;
+ *lenp = _libssh2_ntohu32(s);
+
+ /* the length of the string must fit within the current pointer and the
+ end of the packet */
+ if (*lenp > (data_len - (s - data) -4))
+ return 1;
+ *strp = s + 4;
+ s += 4 + *lenp;
+
+ *sp = s;
+ return 0;
+}
+
/* kex_agree_methods
* Decide which specific method to use of the methods offered by each party
*/
static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
unsigned data_len)
@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
/* Skip cookie, don't worry, it's preserved in the kexinit field */
s += 16;
/* Locate each string */
- kex_len = _libssh2_ntohu32(s);
- kex = s + 4;
- s += 4 + kex_len;
- hostkey_len = _libssh2_ntohu32(s);
- hostkey = s + 4;
- s += 4 + hostkey_len;
- crypt_cs_len = _libssh2_ntohu32(s);
- crypt_cs = s + 4;
- s += 4 + crypt_cs_len;
- crypt_sc_len = _libssh2_ntohu32(s);
- crypt_sc = s + 4;
- s += 4 + crypt_sc_len;
- mac_cs_len = _libssh2_ntohu32(s);
- mac_cs = s + 4;
- s += 4 + mac_cs_len;
- mac_sc_len = _libssh2_ntohu32(s);
- mac_sc = s + 4;
- s += 4 + mac_sc_len;
- comp_cs_len = _libssh2_ntohu32(s);
- comp_cs = s + 4;
- s += 4 + comp_cs_len;
- comp_sc_len = _libssh2_ntohu32(s);
- comp_sc = s + 4;
-#if 0
- s += 4 + comp_sc_len;
- lang_cs_len = _libssh2_ntohu32(s);
- lang_cs = s + 4;
- s += 4 + lang_cs_len;
- lang_sc_len = _libssh2_ntohu32(s);
- lang_sc = s + 4;
- s += 4 + lang_sc_len;
-#endif
+ if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
+ return -1;
+ if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
+ return -1;
+
/* If the server sent an optimistic packet, assume that it guessed wrong.
* If the guess is determined to be right (by kex_agree_kex_hostkey)
* This flag will be reset to zero so that it's not ignored */
session->burn_optimistic_kexinit = *(s++);
/* Next uint32 in packet is all zeros (reserved) */
--
2.1.4