#211: size mismatch between struct transportpacket fields causes libssh2 to get
stuck
---------------------------------------------------------------------------------------+
Reporter:
www.google.com/accounts/o8/id?id=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna |
Owner:
Type: defect
| Status: new
Priority: normal
| Milestone: 1.2.8
Component: protocol
| Version: 1.2.7
Keywords:
| Blocks:
Blocked By:
|
---------------------------------------------------------------------------------------+
transportpacket->packet_length is of type uint32_t
transportpacket->total_num is of type int (32 bit in most architectures).
In libssh2_tarnsport_read (src/transport.c) on line 454 total_num is
computed as
p->total_num = p->packet_length - 1 + (encrypted ?
session->remote.mac->mac_len : 0);
In this case if packet_length is greater than (2 pow 30) we get a
total_num value that is -ve. In this case libssh2 gets stuck in a infinite
do {} while loop inside libssh2_transport_read.
I understand from definition of LIBSSH2_PACKET_MAXPAYLOAD and the comment
right after the total_num calculation that maximum uncompressed payload
should never be greater than 40000, so its likely that what we are getting
from the other side here has a bogus packet length (in the particular case
it was 3359664964). However with the type/size mismatch we bypass the
check on line 466 in src/trasport.c i.e.
if (p->total_num > LIBSSH2_PACKET_MAXPAYLOAD) {
return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
}
Subsequently we get stuck in the infinite do {}while loop. Suggested
solution, define both packet_length and total_num to be of type uint32_t.
--
Ticket URL: <http://trac.libssh2.org/ticket/211>
libssh2 <http://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
