Subject: Re: libssh2_knownhosts_writefile_fp()

Re: libssh2_knownhosts_writefile_fp()

From: Alexander Lamaison <>
Date: Sun, 21 Nov 2010 13:48:45 +0000

On 21 November 2010 13:34, Ben Kibbey <> wrote:
> On Sun, Nov 21, 2010 at 12:53:43PM +0000, Alexander Lamaison wrote:
>> On 21 November 2010 12:44, Ben Kibbey <> wrote:
>> >
>> > I get a warning during linking about tempnam(3) being insecure. Heres a
>> > a patch to write the knownhosts to an already open file stream (which I
>> > create with tmpfile(3).
>> Passing a FILE* across an API call is a really bad idea.  Unless
>> you're linking statically, this can corrupt the C-runtime memory as
>> you're passing an object owned by one runtime instance to another.
>> Although there are a couple of calls in libssh2 that still do this,
>> we're trying to get rid of them.
> Is it only the FILE* structure? What about the file descriptor of the
> opened stream obtained from fileno(3)? Is that safe?

Also not safe. Any 'object' that belongs to one instance of the
C-runtime must not be manipulated by another instance. The file
descriptor data is owned by the C-runtime regardless of whether you
access it via a fileno or a FILE*.

It's a bit like calling malloc() in one instance and calling free() in
the other which will also corrupt the runtime memory and most likely
crash. While the memory allocated by malloc() is not owned by the
C-runtime (you can access the memory anywhere you wish), the table of
memory allocations *is*. When you call another instance's free() on
the pointer, it is the table of allocations that is changed, not the
allocated memory. As each runtime instance has its own table, boo boo

Unfortunately, as far as I'm aware, every file operation manipulates
internal tables so you can never safely use any form of opened file
descriptor across API calls.

Received on 2010-11-21