Subject: [libssh2] #207: libssh2 (v1.2.1) crashes in libssh2_channel_read_ex due to invalid memory write

[libssh2] #207: libssh2 (v1.2.1) crashes in libssh2_channel_read_ex due to invalid memory write

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Fri, 21 Jan 2011 19:37:04 -0000

#207: libssh2 (v1.2.1) crashes in libssh2_channel_read_ex due to invalid memory
write
---------------------------------------------------------------------------------------+
  Reporter: www.google.com/accounts/o8/id?id=aitoawmdz8rvnouurvo7z17gt8ll4pj4-xvsgja | Owner:
      Type: defect | Status: new
  Priority: normal | Milestone: 1.2.8
 Component: crypto | Version: 1.2.1
  Keywords: | Blocks:
Blocked By: |
---------------------------------------------------------------------------------------+
 Under certain circumstances libssh2 crashes in libssh2_channel_read_ex
 due to invalid memory write at transport.c:124 which is 12 bytes after a
 block of size 63 alloc'd at transport.c:454. Here is valgrind's report
 with line numbers:

 ==6833== Invalid write of size 1
 ==6833== at 0x4A20F57: memcpy (mc_replace_strmem.c:402)
 ==6833== by 0x7FA6EAD: decrypt (transport.c:124)
 ==6833== by 0x7FA70E0: _libssh2_transport_read (transport.c:520)
 ==6833== by 0x7F9105B: libssh2_channel_read_ex (channel.c:1781)
 ............... application calls ...........
 ==6833== Address 0x3fa3f463 is 12 bytes after a block of size 63 alloc'd
 ==6833== at 0x4A1EDEB: malloc (vg_replace_malloc.c:207)
 ==6833== by 0x7FA741F: _libssh2_transport_read (transport.c:454)
 ==6833== by 0x7F9105B: libssh2_channel_read_ex (channel.c:1781)
 ............... application calls ...........

 --6833-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV)
 -
 exiting

 If helpful here is debug stack trace of core file which seems to be the
 same issue:
 #0 _libssh2_ntohu32 (buf=0xcb37402deaf43587 <Address 0xcb37402deaf43587
 out of
 bounds>) at misc.c:115
 115 misc.c: No such file or directory.
     in misc.c
 (gdb) where
 #0 _libssh2_ntohu32 (buf=0xcb37402deaf43587 <Address 0xcb37402deaf43587
 out of
 bounds>) at misc.c:115
 #1 0x00007f6cc06ce0f0 in libssh2_channel_read_ex (channel=0x706d290,
 stream_id=0,
     buf=0x712b520
 ">\r\n<snmp-index>\r\n6\r\n</snmp-index>\r\n<if-type>\r\nLoopback\r\n</if-
 type>\r\n<mtu>\r\nUnlimited\r\n</mtu>\r\n<if-device-flags>\r\n<ifdf-
 present/>\r\n<ifdf-running/>\r\n<ifdf-loopback/>\r\n</if-device-flags>\r\n
 <if-config-flag"...,
     buflen=<value optimized out>) at channel.c:1813

 This happens when interacting with a Juniper router. Unfortunately the
 trigger conditions are unknown ...

 Let me know if I can help with tracking down the issue.

 Thanks! 

-- 
Ticket URL: <http://trac.libssh2.org/ticket/207>
libssh2 <http://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2011-01-21