libssh2/backport-NULL-terminate-server_sign_algorithms-string-669.patch

From 2a2aaed3b6c3c1dc25e35e11afcfb23f88a18510 Mon Sep 17 00:00:00 2001
From: tihmstar <tihmstar@gmail.com>
Date: Thu, 3 Feb 2022 19:11:36 +0100
Subject: [PATCH] NULL terminate server_sign_algorithms string (#669)

files: packet.c, libssh2_priv.h

notes:
* Fix heap buffer overflow in _libssh2_key_sign_algorithm

When allocating `session->server_sign_algorithms` which is a `char*` is is important to also allocate space for the string-terminating null byte at the end and make sure the string is actually null terminated.

Without this fix, the `strchr()` call inside the `_libssh2_key_sign_algorithm` (line 1219) function will try to parse the string and go out of buffer on the last invocation.

Credit: tihmstar
Co-authored-by: Will Cosgrove <will@panic.com>

Conflict:NA
Reference:https://github.com/libssh2/commit/2a2aaed3b6c3c1dc25e35e11afcfb23f88a18510
---
 src/libssh2_priv.h | 1 -
 src/packet.c       | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
index f218a83..be16ad2 100644
--- a/src/libssh2_priv.h
+++ b/src/libssh2_priv.h
@@ -642,7 +642,6 @@ struct _LIBSSH2_SESSION
 
     /* public key algorithms accepted as comma separated list */
     char *server_sign_algorithms;
-    size_t server_sign_algorithms_len;
 
     /* key signing algorithm preferences -- NULL yields server order */
     char *sign_algo_prefs;
diff --git a/src/packet.c b/src/packet.c
index 686be5c..c3756a8 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -665,12 +665,12 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
 
                         session->server_sign_algorithms =
                                                 LIBSSH2_ALLOC(session,
-                                                              value_len);
+                                                              value_len + 1);
 
                         if(session->server_sign_algorithms) {
-                            session->server_sign_algorithms_len = value_len;
                             memcpy(session->server_sign_algorithms,
                                    value, value_len);
+                            session->server_sign_algorithms[value_len] = '\0';
                         }
                         else {
                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
-- 
2.23.0