shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-07 02:39:48 +09:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2025-5449 sftpserver: Avoid NULL dereference for invalid handles

Browse Source 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2025-04-23 11:38:52 +02:00
committed by Andreas Schneider
parent a4118ddc06
commit e322e8f50c
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/sftpserver.c
View File

@@ -961,7 +961,7 @@ process_read(sftp_client_message client_msg)
ssh_string_len(handle));
h = sftp_handle(sftp, handle);
if (h->type == SFTP_FILE_HANDLE) {
if (h != NULL && h->type == SFTP_FILE_HANDLE) {
fd = h->fd;
}
@@ -1019,7 +1019,7 @@ process_write(sftp_client_message client_msg)
ssh_string_len(handle));
h = sftp_handle(sftp, handle);
if (h->type == SFTP_FILE_HANDLE) {
if (h != NULL && h->type == SFTP_FILE_HANDLE) {
fd = h->fd;
}
if (fd < 0) {
@@ -1064,7 +1064,11 @@ process_close(sftp_client_message client_msg)
ssh_string_len(handle));
h = sftp_handle(sftp, handle);
if (h->type == SFTP_FILE_HANDLE) {
if (h == NULL) {
SSH_LOG(SSH_LOG_PROTOCOL, "invalid handle");
sftp_reply_status(client_msg, SSH_FX_INVALID_HANDLE, "Invalid handle");
return SSH_OK;
} else if (h->type == SFTP_FILE_HANDLE) {
int fd = h->fd;
close(fd);
ret = SSH_OK;
@@ -1232,7 +1236,7 @@ process_readdir(sftp_client_message client_msg)
ssh_string_len(handle));
h = sftp_handle(sftp, client_msg->handle);
if (h->type == SFTP_DIR_HANDLE) {
if (h != NULL && h->type == SFTP_DIR_HANDLE) {
dir = h->dirp;
handle_name = h->name;
}