From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 27 Mar 2024 23:38:09 +0000 (+0100)
Subject: libssh2: set length to 0 if strdup failed
X-Git-Tag: curl-8_8_0~340
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f3204820052263f488f86e02c206e1d24c4da2c;p=thirdparty%2Fcurl.git

libssh2: set length to 0 if strdup failed

Internally, libssh2 dereferences the NULL pointer if length is non-zero.
The callback function cannot return the error condition, so at least
prevent subsequent crash.

Closes #13213
---

diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index 3cfbe126c6..7d8d5f4657 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -201,7 +201,8 @@ kbd_callback(const char *name, int name_len, const char *instruction,
   if(num_prompts == 1) {
     struct connectdata *conn = data->conn;
     responses[0].text = strdup(conn->passwd);
-    responses[0].length = curlx_uztoui(strlen(conn->passwd));
+    responses[0].length =
+      responses[0].text == NULL ? 0 : curlx_uztoui(strlen(conn->passwd));
   }
   (void)prompts;
 } /* kbd_callback */