Subject: [libssh2] #195: crash during session setup if remote host does not offer valid keys

[libssh2] #195: crash during session setup if remote host does not offer valid keys

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Mon, 01 Nov 2010 21:43:27 -0000

#195: crash during session setup if remote host does not offer valid keys
---------------------------------------------------------------------------------------+
  Reporter: www.google.com/accounts/o8/id?id=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna | Owner:
      Type: defect | Status: new
  Priority: normal | Milestone: 1.2.6
 Component: protocol | Version: 1.2.2
  Keywords: | Blocks:
Blocked By: |
---------------------------------------------------------------------------------------+
 While setting up the session, ssh tries to determine the type of
 encryption method it can use for the session. This requires looking at the
 keys offered by the remote host and comparing these with the methods
 supported by libssh2 (rsa & dss). To do this there is an iteration over
 the array containing the methods supported by libssh2. This array is
 defined as
 (in src/hostkey.c)
 static const LIBSSH2_HOSTKEY_METHOD *hostkey_methods[] = {
 #if LIBSSH2_RSA
      &hostkey_method_ssh_rsa,
 #endif /* LIBSSH2_RSA */
 #if LIBSSH2_DSA
      &hostkey_method_ssh_dss,
 #endif /* LIBSSH2_DSA */
      NULL
 };
 While trying to determine the encryption method there is code in src/kex.c
 of the form

   //hostkyp's type is LIBSSH2_HOSTKEY_METHOD* []
   while (hostkeyp && (*hostkeyp)->name) {
    //Examine remote host key to see if we can agree on encryption method.
    hostkeyp++;
  }

 If there is no agreement on the type of encryption we come to the 3rd
 entry of the hostkeyp array. Here hostkeyp is valid but *hostkep is NULL.
 Thus when we dereference that in (*hostkeyp)->name there is a crash with
 the following backtrace.
 #0 0x00007f0e04103ecc in kex_agree_hostkey (session=0x602040,
 kex_flags=2, hostkey=0x6079d3 " ", hostkey_len=1)
     at kex.c:1271
 1271 kex.c: No such file or directory.
         in kex.c
 (gdb) bt
 #0 0x00007f0e04103ecc in kex_agree_hostkey (session=0x602040,
 kex_flags=2, hostkey=0x6079d3 " ", hostkey_len=1)
     at kex.c:1271
 #1 0x00007f0e04104a0b in libssh2_kex_exchange (session=0x602040,
 reexchange=<value optimized out>, key_state=0x606410)
     at kex.c:1355
 #2 0x00007f0e0410bb6e in libssh2_session_startup (session=0x602040,
 sock=3) at session.c:594
 #3 0x0000000000400da0 in main ()
 (gdb)

 I have fixed this issue in my copy of the library and I am submitting the
 patch for inclusion here. 

-- 
Ticket URL: <http://trac.libssh2.org/ticket/195>
libssh2 <http://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-11-01