generic-library/ssh2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

kex: bail out on rubbish in the incoming packet

Browse Source 
CVE-2015-1782

Bug: http://www.libssh2.org/adv_20150311.html
This commit is contained in:
Mariusz Ziulek 2015-02-21 23:31:36 +01:00 committed by Daniel Stenberg
parent 8bb6cf7f95
commit 7d94b69b80
1 changed files with 41 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
src/kex.c
View File

@ -1549,6 +1549,30 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
* The Client gets to make the final call on "agreed methods" * The Client gets to make the final call on "agreed methods"
*/ */
/*
* kex_string_pair() extracts a string from the packet and makes sure it fits
* within the given packet.
*/
static int kex_string_pair(unsigned char **sp, /* parsing position */
unsigned char *data, /* start pointer to packet */
size_t data_len, /* size of total packet */
size_t *lenp, /* length of the string */
unsigned char **strp) /* pointer to string start */
{
unsigned char *s = *sp;
*lenp = _libssh2_ntohu32(s);
/* the length of the string must fit within the current pointer and the
end of the packet */
if (*lenp > (data_len - (s - data) -4))
return 1;
*strp = s + 4;
s += 4 + *lenp;
*sp = s;
return 0;
}
/* kex_agree_methods /* kex_agree_methods
* Decide which specific method to use of the methods offered by each party * Decide which specific method to use of the methods offered by each party
*/ */
@ -1568,38 +1592,23 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
s += 16; s += 16;
/* Locate each string */ /* Locate each string */
kex_len = _libssh2_ntohu32(s); if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
kex = s + 4; return -1;
s += 4 + kex_len; if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
hostkey_len = _libssh2_ntohu32(s); return -1;
hostkey = s + 4; if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
s += 4 + hostkey_len; return -1;
crypt_cs_len = _libssh2_ntohu32(s); if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
crypt_cs = s + 4; return -1;
s += 4 + crypt_cs_len; if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
crypt_sc_len = _libssh2_ntohu32(s); return -1;
crypt_sc = s + 4; if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
s += 4 + crypt_sc_len; return -1;
mac_cs_len = _libssh2_ntohu32(s); if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
mac_cs = s + 4; return -1;
s += 4 + mac_cs_len; if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
mac_sc_len = _libssh2_ntohu32(s); return -1;
mac_sc = s + 4;
s += 4 + mac_sc_len;
comp_cs_len = _libssh2_ntohu32(s);
comp_cs = s + 4;
s += 4 + comp_cs_len;
comp_sc_len = _libssh2_ntohu32(s);
comp_sc = s + 4;
#if 0
s += 4 + comp_sc_len;
lang_cs_len = _libssh2_ntohu32(s);
lang_cs = s + 4;
s += 4 + lang_cs_len;
lang_sc_len = _libssh2_ntohu32(s);
lang_sc = s + 4;
s += 4 + lang_sc_len;
#endif
/* If the server sent an optimistic packet, assume that it guessed wrong. /* If the server sent an optimistic packet, assume that it guessed wrong.
* If the guess is determined to be right (by kex_agree_kex_hostkey) * If the guess is determined to be right (by kex_agree_kex_hostkey)
* This flag will be reset to zero so that it's not ignored */ * This flag will be reset to zero so that it's not ignored */