代码拉取完成,页面将自动刷新
From a6a9093b39824a00258f96a5301a844b4d870cdc Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 28 Mar 2024 16:59:58 +0000
Subject: [PATCH] userauth: avoid oob with huge interactive kbd response
- If the length of a response is `UINT_MAX - 3` or larger, an unsigned
integer overflow occurs on 64-bit systems. Avoid such truncation to
always allocate enough memory to avoid subsequent out of boundary
writes.
Patch-by: Tobias Stoeckmann
- also add FIXME to bump up length field to `size_t` (ABI break)
Closes #1337
Reference:https://github.com/libssh2/libssh2/commit/a6a9093b39824a00258f96a5301a844b4d870cdc
Conflict:NA
---
include/libssh2.h | 2 +-
src/userauth.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/libssh2.h b/include/libssh2.h
index 8bc8a138..71673801 100644
--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -292,7 +292,7 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_PROMPT
typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
{
char *text;
- unsigned int length;
+ unsigned int length; /* FIXME: change type to size_t */
} LIBSSH2_USERAUTH_KBDINT_RESPONSE;
typedef struct _LIBSSH2_SK_SIG_INFO {
diff --git a/src/userauth.c b/src/userauth.c
index 60fd48e4..43df3e15 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -2188,7 +2188,7 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
if(session->userauth_kybd_responses[i].length <=
(SIZE_MAX - 4 - session->userauth_kybd_packet_len)) {
session->userauth_kybd_packet_len +=
- 4 + session->userauth_kybd_responses[i].length;
+ 4 + (size_t)session->userauth_kybd_responses[i].length;
}
else {
_libssh2_error(session, LIBSSH2_ERROR_ALLOC,
--
2.33.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。