CVE-2023-3603: Potential NULL dereference in libssh’s sftp server

This is announcement of a new CVE we fixed in libssh. This time, it was caught early enough before hitting any released version, but if anyone is running master version or using unreleased commits, this is worth your attention.

Background

During last summer, we worked with students to implement callback based SFTP server . It took a bit time to get merged, we hit couple of roadblocks including poll locks that were making large reads block the connection indefinitely. All of this was resolved and the code was merged couple of months back. Even though all of us read and worked through the code, and we run coverity through the code, we missed one allocation check, which could cause NULL dereference.

Issue

This issue was reported to us by Wei Chong Tan and is described in the attached advisory including the possible impact. The fix was committed to the master branch as fe80f47b0ae8902d229ef9b8a1b4fa949b92e720 and will be in the next major release.

Given that this is affecting only master, no new libssh version was released. And given that this is new functionality, I do not assume many users would be already using it. But for the sake of transparency and to appreciate the reporter we release the security advisory and CVE to keep everyone informed.