From e868036a8e496e36cf986e000e050974cc30a0ae Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 8 Jan 2026 12:09:50 +0100
Subject: [PATCH 1/2] CVE-2026-0966 misc: Avoid heap buffer underflow in
 ssh_get_hexa
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401)
---
 src/misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/misc.c b/src/misc.c
index 6607775e..0cca373a 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -452,7 +452,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len)
     size_t i;
     size_t hlen = len * 3;
 
-    if (len > (UINT_MAX - 1) / 3) {
+    if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) {
         return NULL;
     }
 
-- 
2.53.0


From c112289ce14ef29f173d87b6cc507f066d6ca751 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 8 Jan 2026 12:10:16 +0100
Subject: [PATCH 2/2] CVE-2026-0966 tests: Test coverage for ssh_get_hexa
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
(cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52)
---
 tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
index 77166759..4470c358 100644
--- a/tests/unittests/torture_misc.c
+++ b/tests/unittests/torture_misc.c
@@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) {
     assert_int_equal(rc, 0);
 }
 
+static void torture_ssh_get_hexa(void **state)
+{
+    const unsigned char *bin = NULL;
+    char *hex = NULL;
+
+    (void)state;
+
+    /* Null pointer should not crash */
+    bin = NULL;
+    hex = ssh_get_hexa(bin, 0);
+    assert_null(hex);
+
+    /* Null pointer should not crash regardless the length */
+    bin = NULL;
+    hex = ssh_get_hexa(bin, 99);
+    assert_null(hex);
+
+    /* Zero length input is not much useful. Just expect NULL too */
+    bin = (const unsigned char *)"";
+    hex = ssh_get_hexa(bin, 0);
+    assert_null(hex);
+
+    /* Valid inputs */
+    bin = (const unsigned char *)"\x00\xFF";
+    hex = ssh_get_hexa(bin, 2);
+    assert_non_null(hex);
+    assert_string_equal(hex, "00:ff");
+    ssh_string_free_char(hex);
+}
+
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
@@ -903,6 +933,7 @@ int torture_run_tests(void) {
         cmocka_unit_test(torture_ssh_strerror),
         cmocka_unit_test(torture_ssh_check_hostname_syntax),
         cmocka_unit_test(torture_ssh_is_ipaddr),
+        cmocka_unit_test(torture_ssh_get_hexa),
     };
 
     ssh_init();
-- 
2.53.0