There is an out-of-bounds read vulnerability, potentially leading to either denial of service or remote information disclosure. It is triggered when libssh2 is used to connect to a malicious SSH server. The overflow occurs when the SSH server sends a disconnect message, which means that the vulnerability can be triggered early in the connection process, before authentication is completed.
In libssh2 before 1.9.0, the function kex_method_diffie_hellman_group_exchange_sha256 _key_exchange() in the file kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. (CWE-130).
A server could send a specially crafted SSH packet with a padding length value greater than the packet length. This would result in a buffer read out of bounds when decompressing the packet or result in a corrupted packet value (CWE-130).
A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, public key auth response, channel startup/open/forward/ setenv/request pty/x11 and session start up. The result would be a memory out of bounds read (CWE-130).
A server could send a specially crafted partial SFTP packet with a zero value for the payload length. This zero value would be used to then allocate memory resulting in a zero byte allocation and possible out of bounds read (CWE-130).
A server could send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value. The length would then have a value of 1 added to it and used to allocate memory causing a possible memory write out of bounds error or zero byte allocation (CWE-130).
A server could send a value approaching unsigned int max number of keyboard prompt requests which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error (CWE-130).