From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001 From: Will Cosgrove Date: Mon, 13 Apr 2026 11:18:25 -0700 Subject: [PATCH] userauth.c: username_len bounds checking (#1858) Return errors when username_len will exceed bounds, fix existing bounds check. Credit: [dapickle](https://github.com/dapickle) --- src/userauth.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/userauth.c b/src/userauth.c index f8e02651c4..43d9ab9b9d 100644 --- a/src/userauth.c +++ b/src/userauth.c @@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, memset(&session->userauth_list_packet_requirev_state, 0, sizeof(session->userauth_list_packet_requirev_state)); + if(username_len > UINT32_MAX - 27) { + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "username_len out of bounds"); + return NULL; + } + session->userauth_list_data_len = username_len + 27; if(session->userauth_list_data) { @@ -316,6 +322,11 @@ userauth_password(LIBSSH2_SESSION *session, * 40 = packet_type(1) + username_len(4) + service_len(4) + * service(14)"ssh-connection" + method_len(4) + method(8)"password" + * chgpwdbool(1) + password_len(4) */ + if(username_len > UINT32_MAX - 40) { + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "username_len out of bounds"); + } + session->userauth_pswd_data_len = username_len + 40; session->userauth_pswd_data0 = @@ -456,7 +467,7 @@ userauth_password(LIBSSH2_SESSION *session, } /* basic data_len + newpw_len(4) */ - if(username_len + password_len + 44 <= UINT_MAX) { + if(username_len <= UINT32_MAX - password_len - 44) { session->userauth_pswd_data_len = username_len + password_len + 44; s = session->userauth_pswd_data =