www.libssh2.org | Daily snapshots | Mailing list archive | Docs | Examples

Archive Index This month's Index

Subject: [libssh2] All Your Mem Belongs to Us

[libssh2] All Your Mem Belongs to Us

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 10 Nov 2006 11:18:27 +0100 (CET)

Hey

libssh2 0.14 on Linus 2.6.17 gcc 4.1.2 20061028 glibc 2.3.6

Since we now have the beginning of SCP support in libcurl based on libssh2,
people have started to experiment with this. It didn't take long until this
little thing popped out:

1. Start apache on port 80 running a normal http server

2. Invoke curl to do SCP but point out the HTTP server:
    $ curl scp://localhost:80/helllo

3. Now watch how libssh2 eats roughly 1GB of RAM.

With libssh2 debug output enabled we can see this funny log:

[libssh2] Transport: New session resource allocated
[libssh2] Transport: session_startup for socket 3
[libssh2] Transport: Sending Banner: SSH-2.0-libssh2_0.14
[libssh2] Transport: Received Banner: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
[libssh2] Transport: Sending packet type 20, length=558, 14 9C 88 D3 E2 FA 02
2C
[libssh2] Transport: Sending packet with total length 564 (5 bytes padding)
[libssh2] Transport: Looking for packet of type: 20
[libssh2] Transport: Blocking until packet of type 20 becomes available
[libssh2] Transport: Checking for packet: will block
[libssh2] Transport: Blocking read: 5 bytes
[libssh2] Transport: Blocking read: 5 bytes actually read
[libssh2] Transport: Processing plaintext packet 1013478509 bytes long (with
108 bytes padding)

Whoa! This little thing then causes:

(line 896 in scr/packet.c)

         payload = LIBSSH2_ALLOC(session, payload_len);

1. What about some sensibility-checks that we actually get something that
    is at least resembling SSH?

2. What about some sensibility-checks to avoid allocating over-the-top
    amounts? It seems like a dead-easy way to screw up clients if you are an
    evil server.

3. Does this really need to alloc and free this area for every call to
    libssh2_packet_read() ? It seems like a pretty huge overhead to me. Is
    there anyone working on fixing this?

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
libssh2-devel mailing list
libssh2-devel_at_lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
Received on 2006-11-10

the libssh2 team