shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-11 18:50:28 +09:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2026-0968: sftp: Sanitize input handling in sftp_parse_longname()

Browse Source 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2025-12-22 20:59:11 +01:00
parent 28d6d10ddc
commit 20856f44c1
1 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/sftp_common.c
View File

@@ -464,16 +464,21 @@ static char * sftp_parse_longname(const char *longname,
const char *p = NULL, *q = NULL; const char *p = NULL, *q = NULL;
size_t len, field = 0; size_t len, field = 0;
if (longname == NULL || longname_field < SFTP_LONGNAME_PERM ||
longname_field > SFTP_LONGNAME_NAME) {
return NULL;
}
p = longname; p = longname;
/* /*
* Find the beginning of the field which is specified * Find the beginning of the field which is specified
* by sftp_longname_field_e. * by sftp_longname_field_e.
*/ */
while (field != longname_field) { while (*p != '\0' && field != longname_field) {
if (isspace(*p)) { if (isspace(*p)) {
field++; field++;
p++; p++;
while (*p && isspace(*p)) { while (*p != '\0' && isspace(*p)) {
p++; p++;
} }
} else { } else {
@@ -481,8 +486,13 @@ static char * sftp_parse_longname(const char *longname,
} }
} }
/* If we reached NULL before we got our field fail */
if (field != longname_field) {
return NULL;
}
q = p; q = p;
while (! isspace(*q)) { while (*q != '\0' && !isspace(*q)) {
q++; q++;
} }