code.ossystems Code Review - openembedded-core.git/blob

   1 From 2014fad3d28090b59d2f8a0971166c06e5fa6da6 Mon Sep 17 00:00:00 2001
   2 From: Hongxu Jia <hongxu.jia@windriver.com>
   3 Date: Fri, 18 Oct 2019 14:56:58 +0800
   4 Subject: [PATCH] upstream: fix integer overflow in XMSS private key parsing.
   5
   6 Reported by Adam Zabrocki via SecuriTeam's SSH program.
   7
   8 Note that this code is experimental and not compiled by default.
   9
  10 ok markus@
  11
  12 OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
  13
  14 Signed-off-by: "djm@openbsd.org" <djm@openbsd.org>
  15
  16 Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a]
  17 CVE: CVE-2019-16905
  18
  19 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  20 ---
  21  sshkey-xmss.c | 3 ++-
  22  1 file changed, 2 insertions(+), 1 deletion(-)
  23
  24 diff --git a/sshkey-xmss.c b/sshkey-xmss.c
  25 index aaae702..c57681a 100644
  26 --- a/sshkey-xmss.c
  27 +++ b/sshkey-xmss.c
  28 @@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
  29                 goto out;
  30         }
  31         /* check that an appropriate amount of auth data is present */
  32 -       if (sshbuf_len(encoded) < encrypted_len + authlen) {
  33 +       if (sshbuf_len(encoded) < authlen ||
  34 +           sshbuf_len(encoded) - authlen < encrypted_len) {
  35                 r = SSH_ERR_INVALID_FORMAT;
  36                 goto out;
  37         }
  38 --
  39 2.7.4
  40