Subject: Re: [PATCH][WIP][v2] Fix out-of-buffer-boundary reads

Re: [PATCH][WIP][v2] Fix out-of-buffer-boundary reads

From: Will Cosgrove <will_at_panic.com>
Date: Wed, 3 Apr 2019 14:07:19 -0700

>> The 1.8.x branch fixes only resolves the issues brought up by the
>> Conicanal review while master contains a more exhaustive review and is
>> highly recommended to use.
>
> Stable distro won't use git master. You can say it is "downstream
> problem", but it won't change the end result: either upstream provides
> backport(ed|able) security fixes for few previous branches, or most of
> end users will use vulnerable code for years.
>
> And fixes in libssh2 git master are not backportable, 1.8.x branch is.

Yup, I agree. The plain fact of the matter is there isn’t enough man power/interest to provide back-ported fixes for all the issues addressed on master. The plan is to release 1.9.0 on the 11th. I know that doesn’t help prior releases, but it does get the ball moving in the right direction.

>> I will submit a patch on Monday for the check length function, thanks
>> for bringing that to our attention.
>
> Not sure if it is still possible to practically exploit it (as of
> c07bc647f), but those (int) casts are wrong (and unneeded).
>
> Anyway, /proper/ check is:
>
> - if(len > buf->len)
> - return 0;
> -
> - return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : 0;
> + return len <= (size_t)((buf->data + buf->len) - buf->dataptr);

This is a better fix, thanks.

Regards,

Will

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2019-04-03