Subject: Re: [PATCH][WIP][v2] Fix out-of-buffer-boundary reads

Re: [PATCH][WIP][v2] Fix out-of-buffer-boundary reads

From: Will Cosgrove <>
Date: Wed, 3 Apr 2019 14:07:19 -0700

>> The 1.8.x branch fixes only resolves the issues brought up by the
>> Conicanal review while master contains a more exhaustive review and is
>> highly recommended to use.
> Stable distro won't use git master. You can say it is "downstream
> problem", but it won't change the end result: either upstream provides
> backport(ed|able) security fixes for few previous branches, or most of
> end users will use vulnerable code for years.
> And fixes in libssh2 git master are not backportable, 1.8.x branch is.

Yup, I agree. The plain fact of the matter is there isn’t enough man power/interest to provide back-ported fixes for all the issues addressed on master. The plan is to release 1.9.0 on the 11th. I know that doesn’t help prior releases, but it does get the ball moving in the right direction.

>> I will submit a patch on Monday for the check length function, thanks
>> for bringing that to our attention.
> Not sure if it is still possible to practically exploit it (as of
> c07bc647f), but those (int) casts are wrong (and unneeded).
> Anyway, /proper/ check is:
> - if(len > buf->len)
> - return 0;
> -
> - return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : 0;
> + return len <= (size_t)((buf->data + buf->len) - buf->dataptr);

This is a better fix, thanks.



Received on 2019-04-03