Bugs item #1533101, was opened at 2006-08-02 14:51 Message generated for change (Comment added) made by bagder You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=703942&aid=1533101&group_id=125852
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed >Resolution: Duplicate Priority: 5 Private: Yes Submitted By: kernelmustard (sshattered) Assigned to: Nobody/Anonymous (nobody) Summary: Seg Fault in Key Exchange Initial Comment: Libssh2 Team, Running against an ssh server: "SSH-2.0-lshd_1.4.1", in an OpenSSH "no hostkey alg" state, libssh2 versions 12 and 13 (configure'd and built with defaults on Fedora Core 3) seg faults repeatedly at kex.c line 946. No prefs are used in the libssh2_kex_agree_hostkey function. Debugging shows the "while" loop on line 931 passes the first two items of the array, ssh-rsa and ssh-dss, but fails on the NULL array entry. All three of the passes have "none" hostkeys and associated lengths. stack is as follows: #0 0x00c03ec8 in libssh2_kex_agree_hostkey (session=0x9e5f728, kex_flags=2, hostkey=0x9e6c9d3 "none", hostkey_len=4) at kex.c:946 946 hostkeyp++; (gdb) bt #0 0x00c03ec8 in libssh2_kex_agree_hostkey (session=0x9e5f728, kex_flags=2, hostkey=0x9e6c9d3 "none", hostkey_len=4) at kex.c:946 #1 0x00c0503b in libssh2_kex_exchange (session=0x9e5f728, reexchange=0) at kex.c:996 #2 0x00c0b761 in libssh2_session_startup (session=0x9e5f728, socket=4) at session.c:321 ... A malevolent server could be configured or emulated to crash clients using libssh2 by passively listening and exibiting the "no host key" behavior. All network packet captures appear nominal and are available on request. OpenSSH captures against the same server are also available. Debug libssh2 traces of libssh are also available on request. A quick but perhaps inappropriate fix (to demonstrate) may be made by adding " int count=0; for(;count<2;count++)//" to kex.c 2005-07-11 11:56 line 946. (This convention, the NULL array stop, might possibly fail elseware as well.) Applying this fix will allow this particular server to exit the libssh2_session_startup() function with a reported error, avoiding the failure. This fix does not interfere with interactions over a large server set. Thanks, John [EMAIL PROTECTED] [EMAIL PROTECTED] Sara G. this is in reference to the email containing the same issue sent to polllita at your PECL address. ---------------------------------------------------------------------- >Comment By: Daniel Stenberg (bagder) Date: 2007-06-06 21:53 Message: Logged In: YES user_id=1110 Originator: NO see #1532739 ---------------------------------------------------------------------- Comment By: kernelmustard (sshattered) Date: 2006-08-02 16:14 Message: Logged In: YES user_id=1566454 Duplicate item, please remove, thanks, John. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=703942&aid=1533101&group_id=125852 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ libssh2-devel mailing list libssh2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libssh2-devel
