#191: src/packet.c:_libssh2_packet_add problems
---------------------------+------------------------------------------------
Reporter: josefsson.org | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: misc | Version: 1.2.7
Keywords: | Blocks:
Blocked By: |
---------------------------+------------------------------------------------
This function does two things in a bad way:
1) It may potentially read from DATA beyond the DATALEN limit. For
example:
reason = _libssh2_ntohu32(data + 1);
message_len = _libssh2_ntohu32(data + 5);
/* 9 = packet_type(1) + reason(4) + message_len(4) */
message = (char *) data + 9;
2) It does no checking that the data provided is within proper range. For
example:
language_len = _libssh2_ntohu32(data + 9 + message_len);
...
message[message_len] = '\0';
language = (char *) data + 9 + message_len + 3;
if (language_len) {
memmove(language, language + 1, language_len);
}
language[language_len] = '\0';
Since the idiom is used throughout the function, it is rather time
consuming to fix. I have no time to work on it. :-(
-- Ticket URL: <http://trac.libssh2.org/ticket/191> libssh2 <http://trac.libssh2.org/> C library for writing portable SSH2 clients _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-develReceived on 2010-10-13