ASA-2019-00463 – libssh2: Out-of-bounds read leading to information disclosure

Allele Security Alert



ASA-2019-00463, CVE-2019-13115


Out-of-bounds read leading to information disclosure


The libssh2 project



Affected version(s)

libssh2 version 1.8.2 and earlier

Fixed version(s)

libssh2 version 1.9.0

Proof of concept



In libssh2 before 1.9.0, the function kex_method_diffie_hellman_group_exchange_sha256_key_exchange() in the file kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

Technical details

The vulnerable function is _libssh2_check_length() as found in misc.c:

int _libssh2_check_length(struct string_buf *buf, size_t len)
return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : 0;

The problem with this function is that the casts to int could overflow. The left-hand cast is safe because the fields of buf are trusted values, but the right-hand cast is not safe because the value of len is untrusted. By making len greater than buf->len + 0x80000000 so that the calculation of (int)(buf->len – len) overflows and becomes a very large positive number, thereby bypassing the bounds check and causing libssh2 to crash with a segmentation fault.


Kevin Backhouse (Semmle Security Research Team)


libssh2 integer overflows and an out-of-bounds read (CVE-2019-13115)

Out-of-bounds read in libssh2 (CVE-2019-13115)

_libssh2_check_length() : additional bounds check #348

Simplified _libssh2_check_length #350

Simplified _libssh2_check_length #350



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.