diff options
Diffstat (limited to 'meta-oe/recipes-support/libssh2/libssh2-1.4.3')
-rw-r--r-- | meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch new file mode 100644 index 0000000000..5f4a7c728d --- /dev/null +++ b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch @@ -0,0 +1,115 @@ +From c7f66cca285033da9b8c9de8eceff52d7b3c3ef3 Mon Sep 17 00:00:00 2001 +From: Mariusz Ziulek <mzet@owasp.org> +Date: Sat, 21 Feb 2015 23:31:36 +0100 +Subject: [PATCH] kex: bail out on rubbish in the incoming packet + +Upstream-Status: Backport + +Signed-off-by: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br> + +--- + src/kex.c | 73 +++++++++++++++++++++++++++++++++++---------------------------- + 1 file changed, 41 insertions(+), 32 deletions(-) + +diff --git a/src/kex.c b/src/kex.c +index fa4c4e1..ad7498a 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + + /* TODO: When in server mode we need to turn this logic on its head + * The Client gets to make the final call on "agreed methods" + */ + ++/* ++ * kex_string_pair() extracts a string from the packet and makes sure it fits ++ * within the given packet. ++ */ ++static int kex_string_pair(unsigned char **sp, /* parsing position */ ++ unsigned char *data, /* start pointer to packet */ ++ size_t data_len, /* size of total packet */ ++ size_t *lenp, /* length of the string */ ++ unsigned char **strp) /* pointer to string start */ ++{ ++ unsigned char *s = *sp; ++ *lenp = _libssh2_ntohu32(s); ++ ++ /* the length of the string must fit within the current pointer and the ++ end of the packet */ ++ if (*lenp > (data_len - (s - data) -4)) ++ return 1; ++ *strp = s + 4; ++ s += 4 + *lenp; ++ ++ *sp = s; ++ return 0; ++} ++ + /* kex_agree_methods + * Decide which specific method to use of the methods offered by each party + */ + static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data, + unsigned data_len) +@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data, + + /* Skip cookie, don't worry, it's preserved in the kexinit field */ + s += 16; + + /* Locate each string */ +- kex_len = _libssh2_ntohu32(s); +- kex = s + 4; +- s += 4 + kex_len; +- hostkey_len = _libssh2_ntohu32(s); +- hostkey = s + 4; +- s += 4 + hostkey_len; +- crypt_cs_len = _libssh2_ntohu32(s); +- crypt_cs = s + 4; +- s += 4 + crypt_cs_len; +- crypt_sc_len = _libssh2_ntohu32(s); +- crypt_sc = s + 4; +- s += 4 + crypt_sc_len; +- mac_cs_len = _libssh2_ntohu32(s); +- mac_cs = s + 4; +- s += 4 + mac_cs_len; +- mac_sc_len = _libssh2_ntohu32(s); +- mac_sc = s + 4; +- s += 4 + mac_sc_len; +- comp_cs_len = _libssh2_ntohu32(s); +- comp_cs = s + 4; +- s += 4 + comp_cs_len; +- comp_sc_len = _libssh2_ntohu32(s); +- comp_sc = s + 4; +-#if 0 +- s += 4 + comp_sc_len; +- lang_cs_len = _libssh2_ntohu32(s); +- lang_cs = s + 4; +- s += 4 + lang_cs_len; +- lang_sc_len = _libssh2_ntohu32(s); +- lang_sc = s + 4; +- s += 4 + lang_sc_len; +-#endif ++ if(kex_string_pair(&s, data, data_len, &kex_len, &kex)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs)) ++ return -1; ++ if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc)) ++ return -1; ++ + /* If the server sent an optimistic packet, assume that it guessed wrong. + * If the guess is determined to be right (by kex_agree_kex_hostkey) + * This flag will be reset to zero so that it's not ignored */ + session->burn_optimistic_kexinit = *(s++); + /* Next uint32 in packet is all zeros (reserved) */ +-- +2.1.4 + |