From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Jun 2020 10:04:09 +0200 Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new() Add a missing NULL check for the pointer returned by ssh_buffer_new() in sftpserver.c. Thanks to Ramin Farajpour Cami for spotting this. Fixes T232 Signed-off-by: Andreas Schneider Reviewed-by: Anderson Toshiyuki Sasaki Reviewed-by: Jakub Jelen (cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53) Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c] CVE: CVE-2020-16135 Signed-off-by: Hitendra Prajapati --- src/sftpserver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/sftpserver.c b/src/sftpserver.c index 1717aa417..1af8a0e76 100644 --- a/src/sftpserver.c +++ b/src/sftpserver.c @@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { /* take a copy of the whole packet */ msg->complete_message = ssh_buffer_new(); + if (msg->complete_message == NULL) { + ssh_set_error_oom(session); + sftp_client_message_free(msg); + return NULL; + } + ssh_buffer_add_data(msg->complete_message, ssh_buffer_get(payload), ssh_buffer_get_len(payload)); -- 2.25.1