meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:04:09 +0200
Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new()

Add a missing NULL check for the pointer returned by ssh_buffer_new() in
sftpserver.c.

Thanks to Ramin Farajpour Cami for spotting this.

Fixes T232

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53)

Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c]
CVE: CVE-2020-16135
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 src/sftpserver.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/sftpserver.c b/src/sftpserver.c
index 1717aa417..1af8a0e76 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
 
   /* take a copy of the whole packet */
   msg->complete_message = ssh_buffer_new();
+  if (msg->complete_message == NULL) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+
   ssh_buffer_add_data(msg->complete_message,
                       ssh_buffer_get(payload),
                       ssh_buffer_get_len(payload));
-- 
2.25.1