new file mode 100644
@@ -0,0 +1,105 @@
+From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:04:09 +0200
+Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new()
+
+Thanks to Ramin Farajpour Cami for spotting this.
+
+Fixes T232
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+
+Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/1493b4466fa394b321d196ad63dd6a4fa395d337]
+CVE: CVE-2020-16135
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/buffer.c | 39 ++++++++++++++++++++++-----------------
+ src/sftpserver.c | 17 ++++++++++++++---
+ 2 files changed, 36 insertions(+), 20 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index da6e587fc..6e235a1e2 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -299,28 +299,33 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
+ */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
+- buffer_verify(buffer);
++ if (buffer == NULL) {
++ return -1;
++ }
+
+- if (data == NULL) {
+- return -1;
+- }
++ buffer_verify(buffer);
+
+- if (buffer->used + len < len) {
+- return -1;
+- }
++ if (data == NULL) {
++ return -1;
++ }
+
+- if (buffer->allocated < (buffer->used + len)) {
+- if(buffer->pos > 0)
+- buffer_shift(buffer);
+- if (realloc_buffer(buffer, buffer->used + len) < 0) {
+- return -1;
++ if (buffer->used + len < len) {
++ return -1;
+ }
+- }
+
+- memcpy(buffer->data+buffer->used, data, len);
+- buffer->used+=len;
+- buffer_verify(buffer);
+- return 0;
++ if (buffer->allocated < (buffer->used + len)) {
++ if (buffer->pos > 0) {
++ buffer_shift(buffer);
++ }
++ if (realloc_buffer(buffer, buffer->used + len) < 0) {
++ return -1;
++ }
++ }
++
++ memcpy(buffer->data + buffer->used, data, len);
++ buffer->used += len;
++ buffer_verify(buffer);
++ return 0;
+ }
+
+ /**
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 1717aa417..5e5b9b896 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -64,9 +64,20 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+
+ /* take a copy of the whole packet */
+ msg->complete_message = ssh_buffer_new();
+- ssh_buffer_add_data(msg->complete_message,
+- ssh_buffer_get(payload),
+- ssh_buffer_get_len(payload));
++ if (msg->complete_message == NULL) {
++ ssh_set_error_oom(session);
++ sftp_client_message_free(msg);
++ return NULL;
++ }
++
++ rc = ssh_buffer_add_data(msg->complete_message,
++ ssh_buffer_get(payload),
++ ssh_buffer_get_len(payload));
++ if (rc < 0) {
++ ssh_set_error_oom(session);
++ sftp_client_message_free(msg);
++ return NULL;
++ }
+
+ ssh_buffer_get_u32(payload, &msg->id);
+
+--
+2.25.1
+
@@ -6,7 +6,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0"
DEPENDS = "zlib openssl"
-SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.8"
+SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.8 \
+ file://CVE-2020-16135.patch \
+ "
SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"
S = "${WORKDIR}/git"
Upstream-Status: Backport from https://gitlab.com/libssh/libssh-mirror/-/commit/1493b4466fa394b321d196ad63dd6a4fa395d337 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../libssh/libssh/CVE-2020-16135.patch | 105 ++++++++++++++++++ .../recipes-support/libssh/libssh_0.8.9.bb | 4 +- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch