On Mon, 14 Oct 2013, Tyler Hall wrote:
According to the documentation for libssh2_userauth_list(), a NULL return
value is not necessarily an error. You must call
libssh2_userauth_authenticated() to determine if the SSH_USERAUTH_NONE
request was successful.
This fixes a segv when using sftp on a server that allows logins with an
empty password. When NULL was interpreted as an error, it would free the
session but not flag an error since the libssh2 errno would be clear. This
resulted in dereferencing a NULL session pointer.
Lovely (and slightly embarrasing that I didn't see this already before since
I'm sure I wrote that part of the libssh2 documentation) !
Thanks a lot, merged and pushed!
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
