Subject: [libssh2] [ libssh2-Bugs-1533101 ] Seg Fault in Key Exchange

[libssh2] [ libssh2-Bugs-1533101 ] Seg Fault in Key Exchange

From: <>
Date: Wed, 06 Jun 2007 12:53:15 -0700

Bugs item #1533101, was opened at 2006-08-02 14:51
Message generated for change (Comment added) made by bagder
You can respond by visiting:

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Duplicate
Priority: 5
Private: Yes
Submitted By: kernelmustard (sshattered)
Assigned to: Nobody/Anonymous (nobody)
Summary: Seg Fault in Key Exchange

Initial Comment:
Libssh2 Team,

Running against an ssh server: "SSH-2.0-lshd_1.4.1", in
an OpenSSH "no hostkey alg" state, libssh2 versions 12
and 13 (configure'd and built with defaults on Fedora
Core 3) seg faults repeatedly at kex.c line 946. No
prefs are used in the libssh2_kex_agree_hostkey
function. Debugging shows the "while" loop on line 931
passes the first two items of the array, ssh-rsa and
ssh-dss, but fails on the NULL array entry. All three
of the passes have "none" hostkeys and associated lengths.

stack is as follows:
#0 0x00c03ec8 in libssh2_kex_agree_hostkey
(session=0x9e5f728, kex_flags=2, hostkey=0x9e6c9d3
"none", hostkey_len=4) at kex.c:946
946 hostkeyp++;
(gdb) bt
#0 0x00c03ec8 in libssh2_kex_agree_hostkey
(session=0x9e5f728, kex_flags=2, hostkey=0x9e6c9d3
"none", hostkey_len=4) at kex.c:946
#1 0x00c0503b in libssh2_kex_exchange
(session=0x9e5f728, reexchange=0) at kex.c:996
#2 0x00c0b761 in libssh2_session_startup
(session=0x9e5f728, socket=4) at session.c:321

A malevolent server could be configured or emulated to
crash clients using libssh2 by passively listening and
exibiting the "no host key" behavior.

All network packet captures appear nominal and are
available on request. OpenSSH captures against the same
server are also available. Debug libssh2 traces of
libssh are also available on request.

A quick but perhaps inappropriate fix (to demonstrate)
may be made by adding
" int count=0; for(;count<2;count++)//" to kex.c
2005-07-11 11:56 line 946. (This convention, the NULL
array stop, might possibly fail elseware as well.)
Applying this fix will allow this particular server to
exit the libssh2_session_startup() function with a
reported error, avoiding the failure. This fix does not
interfere with interactions over a large server set.


Sara G. this is in reference to the email containing
the same issue sent to polllita at your PECL address.


>Comment By: Daniel Stenberg (bagder)
Date: 2007-06-06 21:53

Logged In: YES
Originator: NO

see #1532739


Comment By: kernelmustard (sshattered)
Date: 2006-08-02 16:14

Logged In: YES

Duplicate item, please remove, thanks, John.


You can respond by visiting:

This email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
libssh2-devel mailing list
Received on 2007-06-11