From f79ec51b7fd519dbc5737a7ba826e3ed093f6ceb Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 23 Apr 2025 12:44:33 +0200 Subject: [PATCH] CVE-2025-5449 sftpserver: Fix possible read behind buffer on 32bit arch On 32b architecture when processing the SFTP packets, the value 0x7ffffffc in the payload_len will overflow to negative integer values, causing these checks to pass and possibly reading behind the buffer bounds later. This affects only SFTP server implementations running on 32b architecture. Signed-off-by: Jakub Jelen Reviewed-by: Andreas Schneider --- src/sftp.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/sftp.c b/src/sftp.c index 154de480..37b4133b 100644 --- a/src/sftp.c +++ b/src/sftp.c @@ -361,10 +361,10 @@ int sftp_decode_channel_data_to_packet(sftp_session sftp, void *data, uint32_t len) { sftp_packet packet = sftp->read_packet; - int nread; - int payload_len; - unsigned int data_offset; - int to_read, rc; + size_t nread; + size_t payload_len; + size_t data_offset; + size_t to_read, rc; if (packet->sftp == NULL) { packet->sftp = sftp; @@ -380,7 +380,7 @@ sftp_decode_channel_data_to_packet(sftp_session sftp, void *data, uint32_t len) packet->type = PULL_BE_U8(data, 4); /* We should check the legality of payload length */ - if (payload_len + sizeof(uint32_t) > len || payload_len < 0) { + if (payload_len > len - sizeof(uint32_t) || payload_len < sizeof(uint8_t)) { return SSH_ERROR; } @@ -399,10 +399,12 @@ sftp_decode_channel_data_to_packet(sftp_session sftp, void *data, uint32_t len) } /* - * We should return how many bytes we decoded, including packet length header - * and the payload length. + * We should return how many bytes we decoded, including packet length + * header and the payload length. + * This can't overflow as we pulled this from unit32_t and checked this fits + * into the buffer's max size of 0x10000000 (256MB). */ - return payload_len + sizeof(uint32_t); + return (int)(payload_len + sizeof(uint32_t)); } /* Get the last sftp error */