From 04d2f831fa8da74c973538cd3f621061a7656771 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 11 Dec 2025 13:22:44 +0100
Subject: [PATCH 1/2] sftp: Fix out-of-bound read from sftp extensions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE: CVE-2026-3731
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8]

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
(cherry picked from commit f80670a7aba86cbb442c9b115c9eaf4ca04601b8)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
---
 src/sftp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sftp.c b/src/sftp.c
index 37b4133b..05e05019 100644
--- a/src/sftp.c
+++ b/src/sftp.c
@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
     return NULL;
   }

-  if (idx > sftp->ext->count) {
+  if (idx >= sftp->ext->count) {
     ssh_set_error_invalid(sftp->session);
     return NULL;
   }
--
2.35.6