#211: size mismatch between struct transportpacket fields causes libssh2 to get
stuck
---------------------------------------------------------------------------------------+
Reporter:
www.google.com/accounts/o8/id?id=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna |
Owner: Peter Stuge <peter@…>
Type: defect
| Status: closed
Priority: normal
| Milestone: 1.2.8
Component: protocol
| Version: 1.2.7
Resolution: fixed
| Keywords:
Blocks:
| Blocked By:
---------------------------------------------------------------------------------------+
Comment (by
www.google.com/accounts/o8/id?id=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna):
Replying to [comment:6 www.google.com/accounts/o8/id?id
=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna]:
> Replying to [comment:5 stuge]:
> > Replying to [comment:4 www.google.com/accounts/o8/id?id
=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna]:
> > > won't this get us into trouble if there was a error after
p->total_num was set
> > > (for example while decrypting a chunk)
> >
> > Did you already look at which code paths have this problem? Do you
know if there are many >of them?
> I can't speak about there being many. The one that I had in mind was in
_libssh2_channel_read function (src/channel.c on line 1692) we have
> while (rc > 0)
> rc = _libssh2_transport_read(session);
>
> if ((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN))
> return _libssh2_error(session, rc, "transport read");
> Now if we get a decryption error in the 2nd call to
_libssh2_transort_read, we could have session->packet.total_num set to a
non zero value.
> In response to this error client code might try to free the channel
(which is what my code does). libssh2_channel_free again calls
libssh2_transport_read and we get stuck in the do {} while loop.
>
> Jasmeet
Any thoughts ?
--
Ticket URL: <http://trac.libssh2.org/ticket/211#comment:7>
libssh2 <http://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
