Subject: libssh2-devel post from jpv110@rsphymail.anu.edu.au requires approval

libssh2-devel post from jpv110@rsphymail.anu.edu.au requires approval

From: <libssh2-devel-owner_at_cool.haxx.se>
Date: Mon, 27 Jul 2009 02:29:44 +0200

As list administrator, your authorization is requested for the
following mailing list posting:

    List: libssh2-devel_at_cool.haxx.se
    From: jpv110_at_rsphymail.anu.edu.au
    Subject: Problem with libssh2_scp_recv() and libssh2_channel_read()
    Reason: Post by non-member to a members-only list

At your convenience, visit:

    http://cool.haxx.se/cgi-bin/mailman/admindb/libssh2-devel
        
to approve or deny the request.

attached mail follows:

Hi,

Using the latest daily snapshot of libssh2, I have a problem downloading
files using libssh2_scp_recv(). When reading the data using
libssh2_channel_read(), I consistently fail to pass the new check in
transport.c, line 434, which was introduced to fix bug 2814613:
p->packet_length exceeds PACKETBUFSIZE (16384) and the function
_libssh2_transport_read() returns failure.
Shouldn't the check at line 455 (see below) take care of illegally large
values for p->packet_length?

>From transport.c, function _libssh2_transport_read():

 /* we now have the initial blocksize bytes decrypted,
  * and we can extract packet and padding length from it
  */
 p->packet_length = _libssh2_ntohu32(block);
/* line 434 */ if ((p->packet_length < 1) || (p->packet_length >
PACKETBUFSIZE))
    return PACKET_FAIL;

 p->padding_length = block[4];
 if (p->padding_length < 0)
    return PACKET_FAIL;

 /* total_num is the number of bytes following the initial
    (5 bytes) packet length and padding length fields */
 p->total_num =
    p->packet_length - 1 +
    (encrypted ? session->remote.mac->mac_len : 0);

/* RFC4253 section 6.1 Maximum Packet Length says:
 *
 * "All implementations MUST be able to process
 * packets with uncompressed payload length of 32768
 * bytes or less and total packet size of 35000 bytes
 * or less (including length, padding length, payload,
 * padding, and MAC.)."
 */
/* line 455 */ if (p->total_num > LIBSSH2_PACKET_MAXPAYLOAD) {
   return PACKET_TOOBIG;
}

Cheers,
Paul Veldkamp

attached mail follows:

If you reply to this message, keeping the Subject: header intact,
Mailman will discard the held message. Do this if the message is
spam. If you reply to this message and include an Approved: header
with the list password in it, the message will be approved for posting
to the list. The Approved: header can also appear in the first line
of the body of the reply.
Received on 2009-07-27