blob: 3265be3485192dd5da8e079aa8704089534a5ea2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From 2014fad3d28090b59d2f8a0971166c06e5fa6da6 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Fri, 18 Oct 2019 14:56:58 +0800
Subject: [PATCH] upstream: fix integer overflow in XMSS private key parsing.
Reported by Adam Zabrocki via SecuriTeam's SSH program.
Note that this code is experimental and not compiled by default.
ok markus@
OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
Signed-off-by: "djm@openbsd.org" <djm@openbsd.org>
Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a]
CVE: CVE-2019-16905
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
sshkey-xmss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sshkey-xmss.c b/sshkey-xmss.c
index aaae702..c57681a 100644
--- a/sshkey-xmss.c
+++ b/sshkey-xmss.c
@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
goto out;
}
/* check that an appropriate amount of auth data is present */
- if (sshbuf_len(encoded) < encrypted_len + authlen) {
+ if (sshbuf_len(encoded) < authlen ||
+ sshbuf_len(encoded) - authlen < encrypted_len) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
--
2.7.4
|
