Subject: SIGSEGV if using patch "keyb-interactive: allow zero length fields"

SIGSEGV if using patch "keyb-interactive: allow zero length fields"

From: Alfred Gebert <>
Date: Tue, 28 Jun 2011 09:00:17 +0200

I'm using libssh2 from git. My test uses curl and if I try to
establish a sftp session the program dies with "Segmentaion fault".

curl --insecure -u agebert:password --verbose s
* About to connect() to port 22 (#0)
* Trying connected
* Connected to ( port 22 (#0)
* SSH authentication methods available:
* Using ssh public key file /home/agebert/.ssh/
* Using ssh private key file /home/agebert/.ssh/id_dsa
* SSH public key authentication failed: Unable to open public key file
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0xb7cd8fa1 in free () from /lib/
(gdb) where
#0 0xb7cd8fa1 in free () from /lib/
#1 0xb7e83670 in my_libssh2_free () from /home/agebert/local/lib/
#2 0xb7b136d8 in userauth_keyboard_interactive (session=0x8084a40,
username=0x8084810 "agebert", username_len=7,
    response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1616
#3 0xb7b1390b in libssh2_userauth_keyboard_interactive_ex
(session=0x8084a40, user=0x8084810 "agebert", user_len=7,
    response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1672
#4 0xb7e851d6 in ssh_statemach_act () from /home/agebert/local/lib/
#5 0xb7e87a32 in ssh_easy_statemach () from
#6 0xffffffff in ?? ()

I tried to isolate which commit introduced the regression.

This is fine:
libssh2_channel_process_startup.3: clean up

This does crash:
5b004a4b67e3c6e8de97d5bbbab470b1191b1a16 keyb-interactive: add the fixed buffer

The other commits between these commits do not compile.

For me the fix "keyb-interactive: allow zero length fields" is
important because on AIX malloc(0) returns an error.

If you need more details let me know.

Received on 2011-06-28