Subject: Re: [libssh2] All Your Mem Belongs to Us

Re: [libssh2] All Your Mem Belongs to Us

From: Satish Mittal <satish.mittal_at_gmail.com>
Date: Fri, 10 Nov 2006 18:31:00 +0530

Hi Daniel,

I don't know about SCP functionality by libssh2, but I have definitely seen
this problem when using sftp functionality of libssh2, and I have reported
this on libcurl mailing list as well. Because of the junk packet_length
value, my application is crashing since LIBSSH2_ALLOC tries to allocate this
huuge amount of memory.

I think for sanity, apart from your fix we also need to initialize the
buf[24] array created on stack to all fields zero (in line 874).

In my case, the problem was because libssh2_blocking_read was failing and
returning -1, which was assigned to an unsigned long. James seems to fix
that, but to me it looks to be more of an implementation problem at SSH
transport layer protocol itself!

Thanks,
Satish

On 11/10/06, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Fri, 10 Nov 2006, Daniel Stenberg wrote:
>
> > 2. What about some sensibility-checks to avoid allocating over-the-top
> > amounts? It seems like a dead-easy way to screw up clients if you are
> an
> > evil server.
>
> Yeps, a clear deviance from what the RFC tells us. Here's a little patch
> that
> makes libssh2 abort my "abuse" nice and clean.
>
> --- packet.c~ 2006-06-22 20:31:55.000000000 +0200
> +++ packet.c 2006-11-10 11:42:46.000000000 +0100
> @@ -886,6 +886,19 @@
> return -1;
> }
> packet_length = libssh2_ntohu32(buf);
> +
> + /* RFC4253 section 6.1 Maximum Packet Length says:
> +
> + "All implementations MUST be able to process packets
> with
> + uncompressed payload length of 32768 bytes or less and
> + total packet size of 35000 bytes or less (including
> length,
> + padding length, payload, padding, and MAC.)."
> +
> + */
> + if(packet_length > 35000) {
> + return -1;
> + }
> +
> padding_length = buf[4];
> #ifdef LIBSSH2_DEBUG_TRANSPORT
> _libssh2_debug(session, LIBSSH2_DBG_TRANS, "Processing plaintext
> packet %lu bytes long (with %lu bytes padding)", packet_length,
> padding_length);
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> libssh2-devel mailing list
> libssh2-devel_at_lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/libssh2-devel
>

-- 
"The happiest of people donĀ“t necessarily have the best of everything, they
just make the most of everything that comes along their way."
Received on 2006-11-10