Subject: [libssh2] #191: src/packet.c:_libssh2_packet_add problems

[libssh2] #191: src/packet.c:_libssh2_packet_add problems

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Wed, 13 Oct 2010 13:48:23 -0000

#191: src/packet.c:_libssh2_packet_add problems
---------------------------+------------------------------------------------
 Reporter: josefsson.org | Owner:
     Type: defect | Status: new
 Priority: normal | Milestone:
Component: misc | Version: 1.2.7
 Keywords: | Blocks:
Blocked By: |
---------------------------+------------------------------------------------
 This function does two things in a bad way:

 1) It may potentially read from DATA beyond the DATALEN limit. For
 example:

             reason = _libssh2_ntohu32(data + 1);
             message_len = _libssh2_ntohu32(data + 5);
             /* 9 = packet_type(1) + reason(4) + message_len(4) */
             message = (char *) data + 9;

 2) It does no checking that the data provided is within proper range. For
 example:

             language_len = _libssh2_ntohu32(data + 9 + message_len);
 ...
             message[message_len] = '\0';
             language = (char *) data + 9 + message_len + 3;
             if (language_len) {
                 memmove(language, language + 1, language_len);
             }
             language[language_len] = '\0';

 Since the idiom is used throughout the function, it is rather time
 consuming to fix. I have no time to work on it. :-(

-- 
Ticket URL: <http://trac.libssh2.org/ticket/191>
libssh2 <http://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-10-13