libssh: CVE-2020-16135 Fix NULL pointer dereference in sftpserver.c

Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
ni · Jul 2, 2023 · ac70b00 · ac70b00
1 parent ec47660
commit ac70b00
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch
@@ -0,0 +1,44 @@
+From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:04:09 +0200
+Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new()
+
+Add a missing NULL check for the pointer returned by ssh_buffer_new() in
+sftpserver.c.
+
+Thanks to Ramin Farajpour Cami for spotting this.
+
+Fixes T232
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53)
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c]
+CVE: CVE-2020-16135
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/sftpserver.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 1717aa417..1af8a0e76 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+
+   /* take a copy of the whole packet */
+   msg->complete_message = ssh_buffer_new();
++  if (msg->complete_message == NULL) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
++
+   ssh_buffer_add_data(msg->complete_message,
+                       ssh_buffer_get(payload),
+                       ssh_buffer_get_len(payload));
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
@@ -6,7 +6,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0"
 
 DEPENDS = "zlib openssl"
 
-SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.8"
+SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.8 \
+           file://CVE-2020-16135.patch \
+          "
 SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"
 
 S = "${WORKDIR}/git"