From: Viktor Szakats <commit@vsz.me>
Date: Thu, 18 Sep 2025 12:02:51 +0000 (+0200)
Subject: libssh2: error check and null-terminate in ssh_state_sftp_readdir_link()
X-Git-Tag: rc-8_17_0-1~348
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9f18cb6544bbf47e2e2fad6564bc03098273c7bc;p=thirdparty%2Fcurl.git

libssh2: error check and null-terminate in ssh_state_sftp_readdir_link()

- null-terminate the result to match the other getter
  `libssh2_sftp_symlink_ex()` call.

- check negative result and bail out early.

Reported-by: Joshua Rogers

Closes #18598
---

diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index 5dfc377ec1..73d48077b5 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -2405,6 +2405,12 @@ static CURLcode ssh_state_sftp_readdir_link(struct Curl_easy *data,
 
   curlx_dyn_free(&sshp->readdir_link);
 
+  if(rc < 0)
+    return CURLE_OUT_OF_MEMORY;
+
+  /* It seems that this string is not always null-terminated */
+  sshp->readdir_filename[rc] = '\0';
+
   /* append filename and extra output */
   result = curlx_dyn_addf(&sshp->readdir, " -> %s", sshp->readdir_filename);
   if(result)