|
| 1 | +From 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Will Cosgrove <will@panic.com> |
| 3 | +Date: Fri, 12 Jun 2026 15:57:44 -0700 |
| 4 | +Subject: [PATCH] transport.c: Additional boundary checks for packet length (#2052) |
| 5 | + |
| 6 | +Add additional bounds checking on packet length to prevent OOB write. |
| 7 | + |
| 8 | +The chacha20-poly1305 (REQUIRES_FULL_PACKET) read path parses packet_length |
| 9 | +without an upper bound. A crafted length near UINT32_MAX wraps the 32-bit |
| 10 | +total_num computation past the existing total_num > LIBSSH2_PACKET_MAXPAYLOAD |
| 11 | +guard, under-allocating the payload buffer that a later copy overflows |
| 12 | +(CWE-680). Bound packet_length directly, mirroring the guarded first-read |
| 13 | +branch. |
| 14 | + |
| 15 | +Note: upstream 97acf3df targets the post-1.11.1 tree (function renamed to |
| 16 | +ssh2_transport_read, nested conditionals merged); this is the equivalent |
| 17 | +guard adapted to the 1.11.1 _libssh2_transport_read() else branch. |
| 18 | + |
| 19 | +Credit: |
| 20 | +[TristanInSec](https://github.com/TristanInSec) |
| 21 | + |
| 22 | +Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com> |
| 23 | +Upstream-reference: https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8.patch |
| 24 | +--- |
| 25 | + src/transport.c | 2 ++ |
| 26 | + 1 file changed, 2 insertions(+) |
| 27 | + |
| 28 | +diff --git a/src/transport.c b/src/transport.c |
| 29 | +index e1120656..5180741f 100644 |
| 30 | +--- a/src/transport.c |
| 31 | ++++ b/src/transport.c |
| 32 | +@@ -641,6 +641,8 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) |
| 33 | + p->packet_length = _libssh2_ntohu32(block); |
| 34 | + if(p->packet_length < 1) |
| 35 | + return LIBSSH2_ERROR_DECRYPT; |
| 36 | ++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) |
| 37 | ++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY; |
| 38 | + |
| 39 | + /* total_num may include size field, however due to existing |
| 40 | + * logic it needs to be removed after the entire packet is read |
| 41 | +-- |
| 42 | +2.34.1 |
0 commit comments