userauth: check for too large userauth_kybd_auth_name_len (libssh2#650)

... before using it. Reported-by: MarcoPoloPie Fixes libssh2#649
ANaphade · Dec 17, 2021 · 37ee0aa · 37ee0aa
1 parent 6c662e7
commit 37ee0aa
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/userauth.c b/src/userauth.c
@@ -1769,6 +1769,11 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
             if(session->userauth_kybd_data_len >= 5) {
                 /* string    name (ISO-10646 UTF-8) */
                 session->userauth_kybd_auth_name_len = _libssh2_ntohu32(s);
+                if(session->userauth_kybd_auth_name_len >
+                   session->userauth_kybd_data_len - 5)
+                    return _libssh2_error(session,
+                                          LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+                                          "Bad keyboard auth name");
                 s += 4;
             }
             else {