Page MenuHomePhabricator

[sftpserver] NULL pointer deref
Closed, ResolvedPublic

Description

Hi,

There is NULL Pointer Derefrance issue in "src/tftpserver.c", If "ssh_buffer_new()" return NULL, there is any check for NULL return,

https://gitlab.com/libssh/libssh-mirror/-/blob/master/src/sftpserver.c#L68

msg->complete_message = ssh_buffer_new(); // return NULL

Pass NULL to "ssh_buffer_add_data()",

https://gitlab.com/libssh/libssh-mirror/-/blob/master/src/buffer.c#L300

ssh_buffer_add_data(msg->complete_message, # Pass msg->complete_message if is NULL
                    ssh_buffer_get(payload),
                    ssh_buffer_get_len(payload));
 
 buffer_verify(buffer);

And Pass NULL to "buffer_verify()", ssh_buffer buf is NULL and We have a NULL Pointer bug,

https://gitlab.com/libssh/libssh-mirror/-/blob/master/src/buffer.c#L76

static void buffer_verify(ssh_buffer buf)
{
bool do_abort = false;

if (buf->data == NULL) {  # NULL->data
    return;

Thanks,
Ramin,