From ddc4938380b2caae926a30e16b017e5ed9e83866 Mon Sep 17 00:00:00 2001
From: hdliu <dev03108@linx-info.com>
Date: Tue, 25 Nov 2025 10:56:49 +0800
Subject: [PATCH] backport patch from upstream

Signed-off-by: hdliu <dev03108@linx-info.com>
---
 ...eak-in-base64_encode-with-empty-data.patch | 29 ++++++
 ...rmed-comments-in-known_hosts-parsing.patch | 28 ++++++
 ...g-garbage-value-reported-by-clang-ti.patch | 33 +++++++
 ...dereference-in-path-arg-of-send-recv.patch | 90 +++++++++++++++++++
 libssh2.spec                                  | 15 +++-
 5 files changed, 193 insertions(+), 2 deletions(-)
 create mode 100644 backport-Fix-small-leak-in-base64_encode-with-empty-data.patch
 create mode 100644 backport-Handle-malformed-comments-in-known_hosts-parsing.patch
 create mode 100644 backport-mbedtls-fix-using-garbage-value-reported-by-clang-ti.patch
 create mode 100644 backport-scp-fix-NULL-dereference-in-path-arg-of-send-recv.patch

diff --git a/backport-Fix-small-leak-in-base64_encode-with-empty-data.patch b/backport-Fix-small-leak-in-base64_encode-with-empty-data.patch
new file mode 100644
index 0000000..1403f90
--- /dev/null
+++ b/backport-Fix-small-leak-in-base64_encode-with-empty-data.patch
@@ -0,0 +1,29 @@
+From 6c0e3a994560477b73e840397f32e033ffc58a34 Mon Sep 17 00:00:00 2001
+From: willco007 <willco007@gmail.com>
+Date: Mon, 24 Nov 2025 16:12:36 +0800
+Subject: [PATCH] Fix small leak in base64_encode() with empty data Fix small
+ memory leak when trying to encode base64 data with no data.
+
+Credit:
+Liu Xing Yu
+---
+ src/misc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/misc.c b/src/misc.c
+index 6515311..63448ed 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -425,6 +425,9 @@ size_t _libssh2_base64_encode(LIBSSH2_SESSION *session,
+     if(insize == 0)
+         insize = strlen(indata);
+ 
++    if(insize == 0)
++        return 0; /* nothing to encode */
++
+     base64data = output = LIBSSH2_ALLOC(session, insize * 4 / 3 + 4);
+     if(!output)
+         return 0;
+-- 
+2.43.0
+
diff --git a/backport-Handle-malformed-comments-in-known_hosts-parsing.patch b/backport-Handle-malformed-comments-in-known_hosts-parsing.patch
new file mode 100644
index 0000000..ace1827
--- /dev/null
+++ b/backport-Handle-malformed-comments-in-known_hosts-parsing.patch
@@ -0,0 +1,28 @@
+From bde061882d59f69a488a28cb1766b11e93315c6e Mon Sep 17 00:00:00 2001
+From: willco007 <willco007@gmail.com>
+Date: Mon, 24 Nov 2025 16:31:51 +0800
+Subject: [PATCH] Handle malformed comments in known_hosts parsing Notes:
+ Handle malformed comment in known_hosts parsing to avoid buffer overflow.
+
+Credit:
+Liu Xing Yu
+---
+ src/knownhost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/knownhost.c b/src/knownhost.c
+index c223118..c1dea49 100644
+--- a/src/knownhost.c
++++ b/src/knownhost.c
+@@ -789,7 +789,7 @@ static int hostline(LIBSSH2_KNOWNHOSTS *hosts,
+             key_type = LIBSSH2_KNOWNHOST_KEY_UNKNOWN;
+ 
+         /* skip whitespaces */
+-        while((*key ==' ') || (*key == '\t')) {
++	while(keylen && ((*key ==' ') || (*key == '\t'))) {
+             key++;
+             keylen--;
+         }
+-- 
+2.43.0
+
diff --git a/backport-mbedtls-fix-using-garbage-value-reported-by-clang-ti.patch b/backport-mbedtls-fix-using-garbage-value-reported-by-clang-ti.patch
new file mode 100644
index 0000000..6d78470
--- /dev/null
+++ b/backport-mbedtls-fix-using-garbage-value-reported-by-clang-ti.patch
@@ -0,0 +1,33 @@
+From 35ce5da4ad42eea7a058105e6ff542aa9854dc26 Mon Sep 17 00:00:00 2001
+From: vszakats <vszakats@gmail.com>
+Date: Tue, 25 Nov 2025 09:52:03 +0800
+Subject: [PATCH] mbedtls: fix using garbage value (reported by clang-tidy)
+In `_libssh2_mbedtls_pub_priv_key()` on a NON-error code path, a stack
+variable was checked without initializing it first.
+
+I found it interesting that clang-tidy did not find this when building
+against the system mbedtls (2.x) with 2.x compatibility code still in.
+Then it did find it when using a manual build of mbedtls 3.1.0 with
+2.x compatibility code deleted from libssh2. Being such a trivial error
+I wonder why no compiler ever detected it as a regular warning.
+
+---
+ src/mbedtls.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mbedtls.c b/src/mbedtls.c
+index e387cdb..bcce6ad 100644
+--- a/src/mbedtls.c
++++ b/src/mbedtls.c
+@@ -691,6 +691,8 @@ _libssh2_mbedtls_pub_priv_key(LIBSSH2_SESSION *session,
+                               "Key type not supported");
+     }
+ 
++     ret = 0;
++
+     /* write method */
+     mthlen = 7;
+     mth = LIBSSH2_ALLOC(session, mthlen);
+-- 
+2.43.0
+
diff --git a/backport-scp-fix-NULL-dereference-in-path-arg-of-send-recv.patch b/backport-scp-fix-NULL-dereference-in-path-arg-of-send-recv.patch
new file mode 100644
index 0000000..3db0e20
--- /dev/null
+++ b/backport-scp-fix-NULL-dereference-in-path-arg-of-send-recv.patch
@@ -0,0 +1,90 @@
+From 9fc9e888718955b86d8c58a5bd82763354b7cb04 Mon Sep 17 00:00:00 2001
+From: doorsdown <doorsdown@gmail.com>
+Date: Mon, 24 Nov 2025 16:54:11 +0800
+Subject: [PATCH] scp: fix NULL dereference in path arg of send/recv Notes: *
+ Error handling if path for scp is NULL
+
+Reported-by:
+Liu Xing Yu
+
+Credit:
+Ryan Kelley
+---
+ docs/libssh2_scp_recv.3   |  2 ++
+ docs/libssh2_scp_recv2.3  |  2 ++
+ docs/libssh2_scp_send64.3 |  2 ++
+ src/scp.c                 | 12 ++++++++++++
+ 4 files changed, 18 insertions(+)
+
+diff --git a/docs/libssh2_scp_recv.3 b/docs/libssh2_scp_recv.3
+index 7d194d4..ea93ce4 100644
+--- a/docs/libssh2_scp_recv.3
++++ b/docs/libssh2_scp_recv.3
+@@ -26,6 +26,8 @@ Pointer to a newly allocated LIBSSH2_CHANNEL instance, or NULL on errors.
+ .SH ERRORS
+ \fILIBSSH2_ERROR_ALLOC\fP -  An internal memory allocation call failed.
+ 
++\fILIBSSH2_ERROR_INVAL\fP - Invalid argument used in function call.
++
+ \fILIBSSH2_ERROR_SCP_PROTOCOL\fP -
+ 
+ \fILIBSSH2_ERROR_EAGAIN\fP - Marked for non-blocking I/O but the call would
+diff --git a/docs/libssh2_scp_recv2.3 b/docs/libssh2_scp_recv2.3
+index 4d763fc..5f795ef 100644
+--- a/docs/libssh2_scp_recv2.3
++++ b/docs/libssh2_scp_recv2.3
+@@ -23,6 +23,8 @@ Pointer to a newly allocated LIBSSH2_CHANNEL instance, or NULL on errors.
+ .SH ERRORS
+ \fILIBSSH2_ERROR_ALLOC\fP -  An internal memory allocation call failed.
+ 
++\fILIBSSH2_ERROR_INVAL\fP - Invalid argument used in function call.
++
+ \fILIBSSH2_ERROR_SCP_PROTOCOL\fP -
+ 
+ \fILIBSSH2_ERROR_EAGAIN\fP - Marked for non-blocking I/O but the call would
+diff --git a/docs/libssh2_scp_send64.3 b/docs/libssh2_scp_send64.3
+index df63b7e..27122e7 100644
+--- a/docs/libssh2_scp_send64.3
++++ b/docs/libssh2_scp_send64.3
+@@ -35,6 +35,8 @@ Pointer to a newly allocated LIBSSH2_CHANNEL instance, or NULL on errors.
+ .SH ERRORS
+ \fILIBSSH2_ERROR_ALLOC\fP -  An internal memory allocation call failed.
+ 
++\fILIBSSH2_ERROR_INVAL\fP - Invalid argument used in function call.
++
+ \fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket.
+ 
+ \fILIBSSH2_ERROR_SCP_PROTOCOL\fP -
+diff --git a/src/scp.c b/src/scp.c
+index ede0b88..80548c9 100644
+--- a/src/scp.c
++++ b/src/scp.c
+@@ -282,6 +282,12 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb)
+     int tmp_err_code;
+     const char *tmp_err_msg;
+ 
++    if(!path) {
++        _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                       "Path argument can not be null");
++        return NULL;
++    }
++
+     if(session->scpRecv_state == libssh2_NB_state_idle) {
+         session->scpRecv_mode = 0;
+         session->scpRecv_size = 0;
+@@ -858,6 +864,12 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
+     int tmp_err_code;
+     const char *tmp_err_msg;
+ 
++    if(!path) {
++        _libssh2_error(session, LIBSSH2_ERROR_INVAL,
++                       "Path argument can not be null");
++        return NULL;
++    }
++
+     if(session->scpSend_state == libssh2_NB_state_idle) {
+         session->scpSend_command_len =
+             _libssh2_shell_quotedsize(path) + sizeof("scp -t ") +
+-- 
+2.43.0
+
diff --git a/libssh2.spec b/libssh2.spec
index fd933df..338a034 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,6 +1,6 @@
 Name:		libssh2
 Version:	1.11.0
-Release:	4
+Release:	5
 Summary:	A library implementing the SSH2 protocol
 License:	BSD
 URL:		https://www.libssh2.org/
@@ -18,7 +18,12 @@ Patch8:		backport-buildconf-drop.patch
 Patch9:		backport-Prevent-possible-double-free-of-hostkey.patch
 Patch10:	backport-Fix-unstable-connections-over-nonblocking-sockets.patch
 Patch11:	backport-session-support-server-banners-up-to-8192-bytes-was-256.patch
- 
+Patch12:	backport-Fix-small-leak-in-base64_encode-with-empty-data.patch
+Patch13:	backport-Handle-malformed-comments-in-known_hosts-parsing.patch
+Patch14:	backport-mbedtls-fix-using-garbage-value-reported-by-clang-ti.patch
+Patch15:	backport-scp-fix-NULL-dereference-in-path-arg-of-send-recv.patch
+
+
 BuildRequires:	coreutils findutils /usr/bin/man zlib-devel
 BuildRequires:	gcc make sed openssl-devel > 1:1.0.2 openssh-server
 BuildRequires:	glibc-langpack-en groff
@@ -97,6 +102,12 @@ echo "exit 0" > tests/mansyntax.sh
 %{_mandir}/man3/libssh2_*.3*
 
 %changelog
+* Tue Nov 25 2025 hdliu <dev03108@linx-info.com> - 1.11.0-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport some upstream patches
+
 * Tue Oct 29 2024 bitianyuan <bitianyuan@huawei.com> - 1.11.0-4
 - Type:bugfix
 - ID:NA
-- 
Gitee