From e322e8f50c8548b6f05f095669228f97a0bd466b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 23 Apr 2025 11:38:52 +0200
Subject: [PATCH] CVE-2025-5449 sftpserver: Avoid NULL dereference for invalid
 handles

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/sftpserver.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/sftpserver.c b/src/sftpserver.c
index c77947eb..c78e8a07 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -961,7 +961,7 @@ process_read(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, handle);
-    if (h->type == SFTP_FILE_HANDLE) {
+    if (h != NULL && h->type == SFTP_FILE_HANDLE) {
         fd = h->fd;
     }
 
@@ -1019,7 +1019,7 @@ process_write(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, handle);
-    if (h->type == SFTP_FILE_HANDLE) {
+    if (h != NULL && h->type == SFTP_FILE_HANDLE) {
         fd = h->fd;
     }
     if (fd < 0) {
@@ -1064,7 +1064,11 @@ process_close(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, handle);
-    if (h->type == SFTP_FILE_HANDLE) {
+    if (h == NULL) {
+        SSH_LOG(SSH_LOG_PROTOCOL, "invalid handle");
+        sftp_reply_status(client_msg, SSH_FX_INVALID_HANDLE, "Invalid handle");
+        return SSH_OK;
+    } else if (h->type == SFTP_FILE_HANDLE) {
         int fd = h->fd;
         close(fd);
         ret = SSH_OK;
@@ -1232,7 +1236,7 @@ process_readdir(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, client_msg->handle);
-    if (h->type == SFTP_DIR_HANDLE) {
+    if (h != NULL && h->type == SFTP_DIR_HANDLE) {
         dir = h->dirp;
         handle_name = h->name;
     }