Subject: Problem with libssh2_scp_recv() and libssh2_channel_read()

Problem with libssh2_scp_recv() and libssh2_channel_read()

From: Paul Veldkamp <jpv110_at_rsphymail.anu.edu.au>
Date: Mon, 27 Jul 2009 10:25:24 +1000

Hi,

Using the latest daily snapshot of libssh2, I have a problem downloading
files using libssh2_scp_recv(). When reading the data using
libssh2_channel_read(), I consistently fail to pass the new check in
transport.c, line 434, which was introduced to fix bug 2814613:
p->packet_length exceeds PACKETBUFSIZE (16384) and the function
_libssh2_transport_read() returns failure.
Shouldn't the check at line 455 (see below) take care of illegally large
values for p->packet_length?

>From transport.c, function _libssh2_transport_read():

 /* we now have the initial blocksize bytes decrypted,
  * and we can extract packet and padding length from it
  */
 p->packet_length = _libssh2_ntohu32(block);
/* line 434 */ if ((p->packet_length < 1) || (p->packet_length >
PACKETBUFSIZE))
    return PACKET_FAIL;

 p->padding_length = block[4];
 if (p->padding_length < 0)
    return PACKET_FAIL;

 /* total_num is the number of bytes following the initial
    (5 bytes) packet length and padding length fields */
 p->total_num =
    p->packet_length - 1 +
    (encrypted ? session->remote.mac->mac_len : 0);

/* RFC4253 section 6.1 Maximum Packet Length says:
 *
 * "All implementations MUST be able to process
 * packets with uncompressed payload length of 32768
 * bytes or less and total packet size of 35000 bytes
 * or less (including length, padding length, payload,
 * padding, and MAC.)."
 */
/* line 455 */ if (p->total_num > LIBSSH2_PACKET_MAXPAYLOAD) {
   return PACKET_TOOBIG;
}

Cheers,
Paul Veldkamp

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2009-07-27