Skip to content

Commit

Permalink
NULL terminate server_sign_algorithms string (libssh2 PR:669)
Browse files Browse the repository at this point in the history 
files: packet.c, libssh2_priv.h

notes:
* Fix heap buffer overflow in _libssh2_key_sign_algorithm

When allocating `session->server_sign_algorithms` which is a `char*` is is important to also allocate space for the string-terminating null byte at the end and make sure the string is actually null terminated.

Without this fix, the `strchr()` call inside the `_libssh2_key_sign_algorithm` (line 1219) function will try to parse the string and go out of buffer on the last invocation.

Credit: tihmstar
Co-authored-by: Will Cosgrove <will@panic.com>
  • Loading branch information
@julianmesa-gitkraken @willco007
julianmesa-gitkraken and willco007 committed Feb 8, 2022
1 parent bbf444a commit 089f1e4
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 3 deletions.
1 change: 0 additions & 1 deletion vendor/libssh2/src/libssh2_priv.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -642,7 +642,6 @@ struct _LIBSSH2_SESSION

/* public key algorithms accepted as comma separated list */
char *server_sign_algorithms;
size_t server_sign_algorithms_len;

/* key signing algorithm preferences -- NULL yields server order */
char *sign_algo_prefs;
Expand Down
4 changes: 2 additions & 2 deletions vendor/libssh2/src/packet.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -665,12 +665,12 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,

session->server_sign_algorithms =
LIBSSH2_ALLOC(session,
value_len);
value_len + 1);

if(session->server_sign_algorithms) {
session->server_sign_algorithms_len = value_len;
memcpy(session->server_sign_algorithms,
value, value_len);
session->server_sign_algorithms[value_len] = '\0';
}
else {
rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
Expand Down

0 comments on commit 089f1e4

Please sign in to comment.