ssh: heap buffer overflow (master)
### Bugreport SSHParseBanner (app-layer-ssh.c) There is an integer and as a result a heap buffer overflow at line 99. ## Input If *input of the function *SSHParseBanner(SshState *state, SshHeader *header, const uint8_t *input, uint32_t input_len)* only consists only one spezial character **'\n'**, the program runs into a heap buffer overfow. ## Reason At **line 76** in the function *SSHParseBanner*, the program search for a “'\r'”. If not, then match the input with a “'\n'”. After this point line_len is “0”. And this is the problem. At line 97, we subtract “-4” from line_len and we get a negativ integer. Unfortunatly, input_len is an unsigned integer and smaall negativ integers are now very big unsigned integers. The result is, that the **input_len** is much higher then the given buffer. The function *BasicSearch* needs the length and will crash by of reading to much memory space because of the high input_len value. This results in a heap-buffer-overflow.
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to Closed
- Private changed from Yes to No