Subject: [libssh2] #243: curl + libssh2 segfault with SFTP

[libssh2] #243: curl + libssh2 segfault with SFTP

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Tue, 10 Jul 2012 16:14:59 -0000

#243: curl + libssh2 segfault with SFTP
----------------------+--------------------
 Reporter: tony2001 | Owner:
     Type: defect | Status: new
 Priority: normal | Milestone: 1.4.0
Component: SFTP | Version: 1.4.1
 Keywords: | Blocked By:
   Blocks: |
----------------------+--------------------
 curl is the last stable version from the cURL website (curl-7.26.0).
 libssh2 is a fresh Git checkout (libssh2-HEAD-499b22c).

 # curl -u user:password sftp://127.0.0.1

 Program received signal SIGSEGV, Segmentation fault.
 0x00007ffff62d858b in kex_method_diffie_hellman_group14_sha1_key_exchange
 (session=0x65ee60, key_state=0xb7) at kex.c:804
 804 key_state->state = libssh2_NB_state_idle;
 (gdb) bt
 #0 0x00007ffff62d858b in
 kex_method_diffie_hellman_group14_sha1_key_exchange (session=0x65ee60,
 key_state=0xb7) at kex.c:804
 #1 0x00007ffff62da721 in _libssh2_kex_exchange (session=0x65ee60,
 reexchange=0, key_state=0x66bb00) at kex.c:1759
 #2 0x00007ffff62e33c0 in session_startup (session=0x65ee60, sock=7) at
 session.c:718
 #3 0x00007ffff62e366d in libssh2_session_handshake (session=0x65ee60,
 sock=7) at session.c:796
 #4 0x00007ffff7ba0ff2 in ssh_statemach_act () from
 /tmp/libssh/lib64/libcurl.so.4
 #5 0x00007ffff7ba68c3 in ssh_easy_statemach () from
 /tmp/libssh/lib64/libcurl.so.4
 #6 0x00007ffff7ba6cb1 in ssh_connect () from
 /tmp/libssh/lib64/libcurl.so.4
 #7 0x00007ffff7b759db in Curl_protocol_connect () from
 /tmp/libssh/lib64/libcurl.so.4
 #8 0x00007ffff7b78fc0 in Curl_setup_conn () from
 /tmp/libssh/lib64/libcurl.so.4
 #9 0x00007ffff7b79143 in Curl_connect () from
 /tmp/libssh/lib64/libcurl.so.4
 #10 0x00007ffff7b89625 in connect_host () from
 /tmp/libssh/lib64/libcurl.so.4
 #11 0x00007ffff7b89902 in Curl_do_perform () from
 /tmp/libssh/lib64/libcurl.so.4
 #12 0x00007ffff7b89c6d in Curl_perform () from
 /tmp/libssh/lib64/libcurl.so.4
 #13 0x00007ffff7b8a5e5 in curl_easy_perform () from
 /tmp/libssh/lib64/libcurl.so.4
 #14 0x000000000040f688 in operate ()
 #15 0x000000000040ab3d in main ()

 ==19042== Use of uninitialised value of size 8
 ==19042== at 0x671B58B:
 kex_method_diffie_hellman_group14_sha1_key_exchange (kex.c:804)
 ==19042== by 0x671D720: _libssh2_kex_exchange (kex.c:1759)
 ==19042== by 0x67263BF: session_startup (session.c:718)
 ==19042== by 0x672666C: libssh2_session_handshake (session.c:796)
 ==19042== by 0x4E87FF1: ssh_statemach_act (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E8D8C2: ssh_easy_statemach (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E8DCB0: ssh_connect (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E5C9DA: Curl_protocol_connect (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E5FFBF: Curl_setup_conn (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E60142: Curl_connect (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E70624: connect_host (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E70901: Curl_do_perform (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E70C6C: Curl_perform (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E715E4: curl_easy_perform (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x40F687: operate (in /tmp/libssh/bin/curl)
 ==19042== by 0x40AB3C: main (in /tmp/libssh/bin/curl)
 ==19042==
 ==19042== Invalid write of size 4
 ==19042== at 0x671B58B:
 kex_method_diffie_hellman_group14_sha1_key_exchange (kex.c:804)
 ==19042== by 0x671D720: _libssh2_kex_exchange (kex.c:1759)
 ==19042== by 0x67263BF: session_startup (session.c:718)
 ==19042== by 0x672666C: libssh2_session_handshake (session.c:796)
 ==19042== by 0x4E87FF1: ssh_statemach_act (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E8D8C2: ssh_easy_statemach (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E8DCB0: ssh_connect (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E5C9DA: Curl_protocol_connect (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E5FFBF: Curl_setup_conn (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E60142: Curl_connect (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E70624: connect_host (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E70901: Curl_do_perform (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E70C6C: Curl_perform (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x4E715E4: curl_easy_perform (in
 /tmp/libssh/lib64/libcurl.so.4.2.0)
 ==19042== by 0x40F687: operate (in /tmp/libssh/bin/curl)
 ==19042== by 0x40AB3C: main (in /tmp/libssh/bin/curl)
 ==19042== Address 0xb7 is not stack'd, malloc'd or (recently) free'd 

-- 
Ticket URL: <http://trac.libssh2.org/ticket/243>
libssh2 <http://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2012-07-10