Subject: SIGSEGV if using patch "keyb-interactive: allow zero length fields"

SIGSEGV if using patch "keyb-interactive: allow zero length fields"

From: Alfred Gebert <alfred.gebert_at_gmail.com>
Date: Tue, 28 Jun 2011 09:00:17 +0200

I'm using libssh2 from git. My test uses curl and if I try to
establish a sftp session the program dies with "Segmentaion fault".

curl --insecure -u agebert:password --verbose sftp://gebert4.e2e.ch/
* About to connect() to gebert4.e2e.ch port 22 (#0)
* Trying 127.0.0.2... connected
* Connected to gebert4.e2e.ch (127.0.0.2) port 22 (#0)
* SSH authentication methods available:
publickey,gssapi-with-mic,keyboard-interactive
* Using ssh public key file /home/agebert/.ssh/id_dsa.pub
* Using ssh private key file /home/agebert/.ssh/id_dsa
* SSH public key authentication failed: Unable to open public key file
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0xb7cd8fa1 in free () from /lib/libc.so.6
(gdb) where
#0 0xb7cd8fa1 in free () from /lib/libc.so.6
#1 0xb7e83670 in my_libssh2_free () from /home/agebert/local/lib/libcurl.so.4
#2 0xb7b136d8 in userauth_keyboard_interactive (session=0x8084a40,
username=0x8084810 "agebert", username_len=7,
    response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1616
#3 0xb7b1390b in libssh2_userauth_keyboard_interactive_ex
(session=0x8084a40, user=0x8084810 "agebert", user_len=7,
    response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1672
#4 0xb7e851d6 in ssh_statemach_act () from /home/agebert/local/lib/libcurl.so.4
#5 0xb7e87a32 in ssh_easy_statemach () from
/home/agebert/local/lib/libcurl.so.4
#6 0xffffffff in ?? ()

I tried to isolate which commit introduced the regression.

This is fine:
0723dab4d76c16208132367922ca2151cb458073
libssh2_channel_process_startup.3: clean up

This does crash:
5b004a4b67e3c6e8de97d5bbbab470b1191b1a16 keyb-interactive: add the fixed buffer

The other commits between these commits do not compile.

For me the fix "keyb-interactive: allow zero length fields" is
important because on AIX malloc(0) returns an error.

If you need more details let me know.

Alfred
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2011-06-28