#211: size mismatch between struct transportpacket fields causes libssh2 to get
stuck
---------------------------------------------------------------------------------------+
Reporter: www.google.com/accounts/o8/id?id=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna | Owner: Peter Stuge <peter@…>
Type: defect | Status: closed
Priority: normal | Milestone: 1.2.8
Component: protocol | Version: 1.2.7
Resolution: fixed | Keywords:
Blocks: | Blocked By:
---------------------------------------------------------------------------------------+
Comment (by www.google.com/accounts/o8/id?id=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna):
Replying to [comment:5 stuge]:
> Replying to [comment:4 www.google.com/accounts/o8/id?id
=aitoawlhggg_yplkl7grwwpbbum-omtqud4rmna]:
> > won't this get us into trouble if there was a error after p->total_num
was set
> > (for example while decrypting a chunk)
>
> Did you already look at which code paths have this problem? Do you know
if there are many >of them?
I can't speak about there being many. The one that I had in mind was in
_libssh2_channel_read function (src/channel.c on line 1692) we have
while (rc > 0)
rc = _libssh2_transport_read(session);
if ((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN))
return _libssh2_error(session, rc, "transport read");
Now if we get a decryption error in the 2nd call to
_libssh2_transort_read, we could have session->packet.total_num set to a
non zero value.
In response to this error client code might try to free the channel (which
is what my code does). libssh2_channel_free again calls
libssh2_transport_read and we get stuck in the do {} while loop.
Jasmeet
-- Ticket URL: <http://trac.libssh2.org/ticket/211#comment:6> libssh2 <http://trac.libssh2.org/> C library for writing portable SSH2 clients _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-develReceived on 2011-03-01