LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20982 Commits
1 Branch
46 MiB
Tree: d84b66ef66
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd84b66ef66'
${ noResults }
openwrt-packages-dist/libs/libssh/patches/0003-CVE-2020-16135.patch

165 lines
4.4 KiB
Raw Normal View History

libssh: patch security issue Fixes: CVE-2020-16135 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
4 years ago
 
  1. From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001
  2. From: Andreas Schneider <asn@cryptomilk.org>
  3. Date: Wed, 3 Jun 2020 10:04:09 +0200
  4. Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new()
  5. 

  6. Thanks to Ramin Farajpour Cami for spotting this.
  7. 

  8. Fixes T232
  9. 

  10. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
  11. ---

  12.  src/sftpserver.c | 6 ++++++
  13.  1 file changed, 6 insertions(+)
  14. 

  15. diff --git a/src/sftpserver.c b/src/sftpserver.c

  16. index 5a2110e5..b639a2ce 100644

  17. --- a/src/sftpserver.c

  18. +++ b/src/sftpserver.c

  19. @@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {

  20.  
  21.    /* take a copy of the whole packet */
  22.    msg->complete_message = ssh_buffer_new();
  23. +  if (msg->complete_message == NULL) {

  24. +      ssh_set_error_oom(session);

  25. +      sftp_client_message_free(msg);

  26. +      return NULL;

  27. +  }

  28. +

  29.    ssh_buffer_add_data(msg->complete_message,
  30.                        ssh_buffer_get(payload),
  31.                        ssh_buffer_get_len(payload));
  32. -- 

  33. GitLab
  34. 

  35. 

  36. From dbfb7f44aa905a7103bdde9a198c1e9b0f480c2e Mon Sep 17 00:00:00 2001
  37. From: Andreas Schneider <asn@cryptomilk.org>
  38. Date: Wed, 3 Jun 2020 10:05:51 +0200
  39. Subject: [PATCH 2/4] sftpserver: Add missing return check for
  40.  ssh_buffer_add_data()
  41. 

  42. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
  43. ---

  44.  src/sftpserver.c | 11 ++++++++---
  45.  1 file changed, 8 insertions(+), 3 deletions(-)
  46. 

  47. diff --git a/src/sftpserver.c b/src/sftpserver.c

  48. index b639a2ce..9117f155 100644

  49. --- a/src/sftpserver.c

  50. +++ b/src/sftpserver.c

  51. @@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {

  52.        return NULL;
  53.    }
  54.  
  55. -  ssh_buffer_add_data(msg->complete_message,

  56. -                      ssh_buffer_get(payload),

  57. -                      ssh_buffer_get_len(payload));

  58. +  rc = ssh_buffer_add_data(msg->complete_message,

  59. +                           ssh_buffer_get(payload),

  60. +                           ssh_buffer_get_len(payload));

  61. +  if (rc < 0) {

  62. +      ssh_set_error_oom(session);

  63. +      sftp_client_message_free(msg);

  64. +      return NULL;

  65. +  }

  66.  
  67.    ssh_buffer_get_u32(payload, &msg->id);
  68.  
  69. -- 

  70. GitLab
  71. 

  72. 

  73. From 65ae496222018221080dd753a52f6d70bf3ca5f3 Mon Sep 17 00:00:00 2001
  74. From: Andreas Schneider <asn@cryptomilk.org>
  75. Date: Wed, 3 Jun 2020 10:10:11 +0200
  76. Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data()
  77. 

  78. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
  79. ---

  80.  src/buffer.c | 35 ++++++++++++++++++-----------------
  81.  1 file changed, 18 insertions(+), 17 deletions(-)
  82. 

  83. diff --git a/src/buffer.c b/src/buffer.c

  84. index a2e6246a..476bc135 100644

  85. --- a/src/buffer.c

  86. +++ b/src/buffer.c

  87. @@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)

  88.   */
  89.  int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
  90.  {
  91. -  buffer_verify(buffer);

  92. +    buffer_verify(buffer);

  93.  
  94. -  if (data == NULL) {

  95. -      return -1;

  96. -  }

  97. +    if (data == NULL) {

  98. +        return -1;

  99. +    }

  100.  
  101. -  if (buffer->used + len < len) {

  102. -    return -1;

  103. -  }

  104. +    if (buffer->used + len < len) {

  105. +        return -1;

  106. +    }

  107.  
  108. -  if (buffer->allocated < (buffer->used + len)) {

  109. -    if(buffer->pos > 0)

  110. -      buffer_shift(buffer);

  111. -    if (realloc_buffer(buffer, buffer->used + len) < 0) {

  112. -      return -1;

  113. +    if (buffer->allocated < (buffer->used + len)) {

  114. +        if (buffer->pos > 0) {

  115. +            buffer_shift(buffer);

  116. +        }

  117. +        if (realloc_buffer(buffer, buffer->used + len) < 0) {

  118. +            return -1;

  119. +        }

  120.      }
  121. -  }

  122.  
  123. -  memcpy(buffer->data+buffer->used, data, len);

  124. -  buffer->used+=len;

  125. -  buffer_verify(buffer);

  126. -  return 0;

  127. +    memcpy(buffer->data + buffer->used, data, len);

  128. +    buffer->used += len;

  129. +    buffer_verify(buffer);

  130. +    return 0;

  131.  }
  132.  
  133.  /**
  134. -- 

  135. GitLab
  136. 

  137. 

  138. From df0acab3a077bd8ae015e3e8b4c71ff31b5900fe Mon Sep 17 00:00:00 2001
  139. From: Andreas Schneider <asn@cryptomilk.org>
  140. Date: Wed, 3 Jun 2020 10:11:21 +0200
  141. Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument
  142. 

  143. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
  144. ---

  145.  src/buffer.c | 4 ++++
  146.  1 file changed, 4 insertions(+)
  147. 

  148. diff --git a/src/buffer.c b/src/buffer.c

  149. index 476bc135..ce12f491 100644

  150. --- a/src/buffer.c

  151. +++ b/src/buffer.c

  152. @@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)

  153.   */
  154.  int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
  155.  {
  156. +    if (buffer == NULL) {

  157. +        return -1;

  158. +    }

  159. +

  160.      buffer_verify(buffer);
  161.  
  162.      if (data == NULL) {
  163. -- 

  164. GitLab
  165.