From b131c7ecc40dede0bb9b1ebc637eb950d69f20bc Mon Sep 17 00:00:00 2001
From: Packit Bot <centos-stream-packit@redhat.com>
Date: May 05 2021 22:23:44 +0000
Subject: Apply patch libssh-0.9.4-fix-cve-2020-16135.patch


patch_name: libssh-0.9.4-fix-cve-2020-16135.patch
present_in_specfile: true
location_in_specfile: 6

---

diff --git a/src/buffer.c b/src/buffer.c
index a2e6246..9a6fc15 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
  */
 int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
 {
+  if (buffer == NULL) {
+      return -1;
+  }
+
   buffer_verify(buffer);
 
   if (data == NULL) {
diff --git a/src/sftpserver.c b/src/sftpserver.c
index 5a2110e..9117f15 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
 
   /* take a copy of the whole packet */
   msg->complete_message = ssh_buffer_new();
-  ssh_buffer_add_data(msg->complete_message,
-                      ssh_buffer_get(payload),
-                      ssh_buffer_get_len(payload));
+  if (msg->complete_message == NULL) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+
+  rc = ssh_buffer_add_data(msg->complete_message,
+                           ssh_buffer_get(payload),
+                           ssh_buffer_get_len(payload));
+  if (rc < 0) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
 
   ssh_buffer_get_u32(payload, &msg->id);