From 796d85f786dff62bd4bcc4408d9b7bbc855841e9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 22 Dec 2025 20:59:11 +0100
Subject: [PATCH] CVE-2026-0968: sftp: Sanitize input handling in
 sftp_parse_longname()

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 20856f44c146468c830da61dcbbbaa8ce71e390b)
---
 src/sftp_common.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/sftp_common.c b/src/sftp_common.c
index 35506f5d..8ada3a1f 100644
--- a/src/sftp_common.c
+++ b/src/sftp_common.c
@@ -461,16 +461,21 @@ static char * sftp_parse_longname(const char *longname,
     const char *p = NULL, *q = NULL;
     size_t len, field = 0;
 
+    if (longname == NULL || longname_field < SFTP_LONGNAME_PERM ||
+        longname_field > SFTP_LONGNAME_NAME) {
+        return NULL;
+    }
+
     p = longname;
     /*
      * Find the beginning of the field which is specified
      * by sftp_longname_field_e.
      */
-    while (field != longname_field) {
+    while (*p != '\0' && field != longname_field) {
         if (isspace(*p)) {
             field++;
             p++;
-            while (*p && isspace(*p)) {
+            while (*p != '\0' && isspace(*p)) {
                 p++;
             }
         } else {
@@ -478,8 +483,13 @@ static char * sftp_parse_longname(const char *longname,
         }
     }
 
+    /* If we reached NULL before we got our field fail */
+    if (field != longname_field) {
+        return NULL;
+    }
+
     q = p;
-    while (! isspace(*q)) {
+    while (*q != '\0' && !isspace(*q)) {
         q++;
     }