Reproducer for out of bounds read of SFTP extensions

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
2026-02-11 18:50:28 +09:00 · 2025-12-11 13:21:23 +01:00
parent 855a0853ad
commit b90b7f2451
1 changed files with 61 additions and 1 deletions
--- a/tests/client/torture_sftp_init.c
+++ b/tests/client/torture_sftp_init.c
@@ -72,6 +72,63 @@ static void session_setup_channel(void **state)
    assert_non_null(s->ssh.tsftp);
 }

+static void session_setup_extensions(void **state)
+{
+    struct torture_state *s = *state;
+    struct passwd *pwd = NULL;
+    int rc, count;
+    const char *name = NULL, *data = NULL;
+    sftp_session sftp = NULL;
+
+    pwd = getpwnam("bob");
+    assert_non_null(pwd);
+
+    rc = setuid(pwd->pw_uid);
+    assert_return_code(rc, errno);
+
+    s->ssh.session = torture_ssh_session(s,
+                                         TORTURE_SSH_SERVER,
+                                         NULL,
+                                         TORTURE_SSH_USER_ALICE,
+                                         NULL);
+    assert_non_null(s->ssh.session);
+
+    s->ssh.tsftp = torture_sftp_session(s->ssh.session);
+    assert_non_null(s->ssh.tsftp);
+    sftp = s->ssh.tsftp->sftp;
+
+    /* null parameter */
+    count = sftp_extensions_get_count(NULL);
+    assert_int_equal(count, 0);
+
+    count = sftp_extensions_get_count(sftp);
+    assert_int_not_equal(count, 0);
+
+    /* first null parameter */
+    name = sftp_extensions_get_name(NULL, 0);
+    assert_null(name);
+    data = sftp_extensions_get_data(NULL, 0);
+    assert_null(data);
+
+    /* First extension */
+    name = sftp_extensions_get_name(sftp, 0);
+    assert_non_null(name);
+    data = sftp_extensions_get_data(sftp, 0);
+    assert_non_null(data);
+
+    /* Last extension */
+    name = sftp_extensions_get_name(sftp, count - 1);
+    assert_non_null(name);
+    data = sftp_extensions_get_data(sftp, count - 1);
+    assert_non_null(data);
+
+    /* Overrun */
+    name = sftp_extensions_get_name(sftp, count);
+    assert_null(name);
+    data = sftp_extensions_get_data(sftp, count);
+    assert_null(data);
+}
+
 static int session_teardown(void **state)
 {
    struct torture_state *s = *state;
@@ -92,7 +149,10 @@ int torture_run_tests(void) {
                                        session_teardown),
        cmocka_unit_test_setup_teardown(session_setup_channel,
                                        NULL,
-                                        session_teardown)
+                                        session_teardown),
+        cmocka_unit_test_setup_teardown(session_setup_extensions,
+                                        NULL,
+                                        session_teardown),
    };

    ssh_init();