42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
diff -up libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 libssh-0.9.4/src/buffer.c
|
|
--- libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 2021-04-21 10:27:53.562473773 +0200
|
|
+++ libssh-0.9.4/src/buffer.c 2021-04-21 10:29:21.768165663 +0200
|
|
@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_
|
|
*/
|
|
int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
|
|
{
|
|
+ if (buffer == NULL) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
buffer_verify(buffer);
|
|
|
|
if (data == NULL) {
|
|
diff -up libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 libssh-0.9.4/src/sftpserver.c
|
|
--- libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 2021-04-21 10:30:43.864796642 +0200
|
|
+++ libssh-0.9.4/src/sftpserver.c 2021-04-21 10:41:52.166933113 +0200
|
|
@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_mess
|
|
|
|
/* take a copy of the whole packet */
|
|
msg->complete_message = ssh_buffer_new();
|
|
- ssh_buffer_add_data(msg->complete_message,
|
|
- ssh_buffer_get(payload),
|
|
- ssh_buffer_get_len(payload));
|
|
+ if (msg->complete_message == NULL) {
|
|
+ ssh_set_error_oom(session);
|
|
+ sftp_client_message_free(msg);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ rc = ssh_buffer_add_data(msg->complete_message,
|
|
+ ssh_buffer_get(payload),
|
|
+ ssh_buffer_get_len(payload));
|
|
+ if (rc < 0) {
|
|
+ ssh_set_error_oom(session);
|
|
+ sftp_client_message_free(msg);
|
|
+ return NULL;
|
|
+ }
|
|
|
|
ssh_buffer_get_u32(payload, &msg->id);
|
|
|