Subject: [libssh2] #257: libssh2_session_free: infinite loop

[libssh2] #257: libssh2_session_free: infinite loop

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Sat, 02 Feb 2013 11:10:02 -0000

#257: libssh2_session_free: infinite loop
----------------------+--------------------
 Reporter: greg2001 | Owner:
     Type: defect | Status: new
 Priority: normal | Milestone: 1.4.3
Component: API | Version: 1.4.2
 Keywords: | Blocked By:
   Blocks: |
----------------------+--------------------
 Hi libssh2 developers!
 First, thank you very much for the awesome library: I'm using it (in
 combination with Boost ASIO) in a client(iOS)/server(Linux) application
 with a lot of channels per single SSH session and a lot of data
 transferred back and forth - and everything works great!

 Only a small bug:
 Let's suppose, we have a session with active forward listeners - and the
 connection breaks. Calling libssh2_session_free in this situation would
 produce an infinite loop when trying to cancel the forward listeners:
 -----------------------------------------------
         while ((l = _libssh2_list_first(&session->listeners))) {
             rc = _libssh2_channel_forward_cancel(l);
             if (rc == LIBSSH2_ERROR_EAGAIN)
                 return rc;
         }
 -----------------------------------------------

 A short look into _libssh2_channel_forward_cancel reveals the following:
 -----------------------------------------------
         rc = _libssh2_transport_send(session, packet, packet_len, NULL,
 0);
         if (rc == LIBSSH2_ERROR_EAGAIN) {
             ...
         }
         else if (rc) {
             _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND,
                            "Unable to send global-request packet for
 forward "
                            "listen request");
             LIBSSH2_FREE(session, packet);
             listener->chanFwdCncl_state = libssh2_NB_state_idle;
             return LIBSSH2_ERROR_SOCKET_SEND;
         }
 -----------------------------------------------
 So, in case of a comm failure, the listener will never be destroyed
 causing the infinite loop. Removing the block after "else if (rc)" fixes
 the bug. For some reasons, I got this bug only after upgrade to 1.4.3,
 1.4.2 was fine...

 Another one really small thing: at the end of
 _libssh2_channel_forward_cancel, the following line accesses already de-
 allocated memory:
 -----------------------------------------------
     listener->chanFwdCncl_state = libssh2_NB_state_idle;
 -----------------------------------------------

 WBR
 Gregory Moltchadski 

-- 
Ticket URL: <https://trac.libssh2.org/ticket/257>
libssh2 <https://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2013-02-02