package/libssh2/0001-username-len-bound-checking.patch - buildroot - Git at Google

 From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001
 From: Will Cosgrove <will@panic.com>
 Date: Mon, 13 Apr 2026 11:18:25 -0700
 Subject: [PATCH] userauth.c: username_len bounds checking (#1858)

 Return errors when username_len will exceed bounds, fix existing bounds
 check.

 Credit:
 [dapickle](https://github.com/dapickle)

 CVE: CVE-2026-7598
 Upstream: https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
 Signed-off-by: Thomas Perale <thomas.perale@mind.be>
 ---
  src/userauth.c | 13 ++++++++++++-
  1 file changed, 12 insertions(+), 1 deletion(-)

 diff --git a/src/userauth.c b/src/userauth.c
 index f8e02651..43d9ab9b 100644
 --- a/src/userauth.c
 +++ b/src/userauth.c
 @@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
          memset(&session->userauth_list_packet_requirev_state, 0,
                 sizeof(session->userauth_list_packet_requirev_state));

 +        if(username_len > UINT32_MAX - 27) {
 +            _libssh2_error(session, LIBSSH2_ERROR_PROTO,
 +                           "username_len out of bounds");
 +            return NULL;
 +        }
 +
          session->userauth_list_data_len = username_len + 27;

          s = session->userauth_list_data =
 @@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *session,
           * 40 = packet_type(1) + username_len(4) + service_len(4) +
           * service(14)"ssh-connection" + method_len(4) + method(8)"password" +
           * chgpwdbool(1) + password_len(4) */
 +        if(username_len > UINT32_MAX - 40) {
 +            return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
 +                                  "username_len out of bounds");
 +        }
 +
          session->userauth_pswd_data_len = username_len + 40;

          session->userauth_pswd_data0 =
 @@ -447,7 +458,7 @@ password_response:
                          }

                          /* basic data_len + newpw_len(4) */
 -                        if(username_len + password_len + 44 <= UINT_MAX) {
 +                        if(username_len <= UINT32_MAX - password_len - 44) {
                              session->userauth_pswd_data_len =
                                  username_len + password_len + 44;
                              s = session->userauth_pswd_data =
	From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001
	From: Will Cosgrove <will@panic.com>
	Date: Mon, 13 Apr 2026 11:18:25 -0700
	Subject: [PATCH] userauth.c: username_len bounds checking (#1858)

	Return errors when username_len will exceed bounds, fix existing bounds
	check.

	Credit:
	[dapickle](https://github.com/dapickle)

	CVE: CVE-2026-7598
	Upstream: https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
	Signed-off-by: Thomas Perale <thomas.perale@mind.be>
	---
	src/userauth.c \| 13 ++++++++++++-
	1 file changed, 12 insertions(+), 1 deletion(-)

	diff --git a/src/userauth.c b/src/userauth.c
	index f8e02651..43d9ab9b 100644
	--- a/src/userauth.c
	+++ b/src/userauth.c
	@@ -80,6 +80,12 @@ static char userauth_list(LIBSSH2_SESSION session, const char *username,
	memset(&session->userauth_list_packet_requirev_state, 0,
	sizeof(session->userauth_list_packet_requirev_state));

	+ if(username_len > UINT32_MAX - 27) {
	+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
	+ "username_len out of bounds");
	+ return NULL;
	+ }
	+
	session->userauth_list_data_len = username_len + 27;

	s = session->userauth_list_data =
	@@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *session,
	* 40 = packet_type(1) + username_len(4) + service_len(4) +
	* service(14)"ssh-connection" + method_len(4) + method(8)"password" +
	* chgpwdbool(1) + password_len(4) */
	+ if(username_len > UINT32_MAX - 40) {
	+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
	+ "username_len out of bounds");
	+ }
	+
	session->userauth_pswd_data_len = username_len + 40;

	session->userauth_pswd_data0 =
	@@ -447,7 +458,7 @@ password_response:
	}

	/* basic data_len + newpw_len(4) */
	- if(username_len + password_len + 44 <= UINT_MAX) {
	+ if(username_len <= UINT32_MAX - password_len - 44) {
	session->userauth_pswd_data_len =
	username_len + password_len + 44;
	s = session->userauth_pswd_data =