Actions
Security #2883
closedssh: heap buffer overflow
Git IDs:
51790d3824bc381e24aaeef20338dd6b8bd4e453
Severity:
Disclosure Date:
Description
### Bugreport SSHParseBanner (app-layer-ssh.c) There is an integer and as a result a heap buffer overflow at line 99. ## Input If *input of the function *SSHParseBanner(SshState *state, SshHeader *header, const uint8_t *input, uint32_t input_len)* only consists only one spezial character **'\n'**, the program runs into a heap buffer overfow. ## Reason At **line 76** in the function *SSHParseBanner*, the program search for a “'\r'”. If not, then match the input with a “'\n'”. After this point line_len is “0”. And this is the problem. At line 97, we subtract “-4” from line_len and we get a negativ integer. Unfortunatly, input_len is an unsigned integer and smaall negativ integers are now very big unsigned integers. The result is, that the **input_len** is much higher then the given buffer. The function *BasicSearch* needs the length and will crash by of reading to much memory space because of the high input_len value. This results in a heap-buffer-overflow.
Updated by Victor Julien over 5 years ago
- Copied to Security #2944: ssh: heap buffer overflow (master) added
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
Updated by Victor Julien over 4 years ago
- Tracker changed from Bug to Security
- CVE set to 2019-10053
- Git IDs updated (diff)
Actions