Update libssh2 to 1.8.1. Fixes #1523

2025-12-21 23:19:03 +00:00 · 2019-03-20 03:33:51 +00:00
parent 840af24083
commit 2f7b505bd8
31 changed files with 976 additions and 456 deletions
--- a/libssh2/src/packet.c
+++ b/libssh2/src/packet.c
@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
                uint32_t len = _libssh2_ntohu32(data + 5);
                unsigned char want_reply = 1;

-                if(len < (datalen - 10))
-                    want_reply = data[9 + len];
+                if((len + 9) < datalen)
+                    want_reply = data[len + 9];

                _libssh2_debug(session,
                               LIBSSH2_TRACE_CONN,
@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
                               channel, len, data + 9, want_reply);

                if (len == sizeof("exit-status") - 1
+                    && (sizeof("exit-status") - 1 + 9) <= datalen
                    && !memcmp("exit-status", data + 9,
                               sizeof("exit-status") - 1)) {

@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
                        channelp =
                            _libssh2_channel_locate(session, channel);

-                    if (channelp) {
+                    if (channelp && (sizeof("exit-status") + 13) <= datalen) {
                        channelp->exit_status =
                            _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
                        _libssh2_debug(session, LIBSSH2_TRACE_CONN,
@@ -805,24 +806,32 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,

                }
                else if (len == sizeof("exit-signal") - 1
+                         && (sizeof("exit-signal") - 1 + 9) <= datalen
                         && !memcmp("exit-signal", data + 9,
                                    sizeof("exit-signal") - 1)) {
                    /* command terminated due to signal */
                    if(datalen >= 20)
                        channelp = _libssh2_channel_locate(session, channel);

-                    if (channelp) {
+                    if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
                        /* set signal name (without SIG prefix) */
                        uint32_t namelen =
                            _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
-                        channelp->exit_signal =
-                            LIBSSH2_ALLOC(session, namelen + 1);
+
+                        if(namelen <= UINT_MAX - 1) {
+                            channelp->exit_signal =
+                                LIBSSH2_ALLOC(session, namelen + 1);
+                        }
+                        else {
+                            channelp->exit_signal = NULL;
+                        }
+
                        if (!channelp->exit_signal)
                            rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
                                                "memory for signal name");
-                        else {
+                        else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
                            memcpy(channelp->exit_signal,
-                                   data + 13 + sizeof("exit_signal"), namelen);
+                                   data + 13 + sizeof("exit-signal"), namelen);
                            channelp->exit_signal[namelen] = '\0';
                            /* TODO: save error message and language tag */
                            _libssh2_debug(session, LIBSSH2_TRACE_CONN,