CVE-2026-0964 scp: Reject invalid paths received through scp

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-11 18:50:28 +09:00 · 2025-12-22 19:16:44 +01:00
parent a5eb30dbfd
commit daa80818f8
1 changed files with 16 additions and 0 deletions
--- a/src/scp.c
+++ b/src/scp.c
@@ -874,6 +874,22 @@ int ssh_scp_pull_request(ssh_scp scp)
        size = strtoull(tmp, NULL, 10);
        p++;
        name = strdup(p);
+        /* Catch invalid name:
+         *  - empty ones
+         *  - containing any forward slash -- directory traversal handled
+         *    differently
+         *  - special names "." and ".." referring to the current and parent
+         *    directories -- they are not expected either
+         */
+        if (name == NULL || name[0] == '\0' || strchr(name, '/') ||
+            strcmp(name, ".") == 0 || strcmp(name, "..") == 0) {
+            ssh_set_error(scp->session,
+                          SSH_FATAL,
+                          "Received invalid filename: %s",
+                          name == NULL ? "<NULL>" : name);
+            SAFE_FREE(name);
+            goto error;
+        }
        SAFE_FREE(scp->request_name);
        scp->request_name = name;
        if (buffer[0] == 'C') {