Subject: Buffer overflow with mbedTLS

Buffer overflow with mbedTLS

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 25 Oct 2016 23:40:46 +0200 (CEST)

Hey all,

I'm forwarding this just to make sure you all are aware - this is not what I
normally do with bugs. The mbedTLS crypto backend is obviously brand new so
this flaw shouldn't hurt anyone's use of libssh2 in production but should
perhaps make you pause if you had plans to.

I suppose this could warrant a follow-up release once this is fixed.

-- 
  / daniel.haxx.se
---------- Forwarded message ----------
Date: Tue, 25 Oct 2016 23:35:32
From: doublex <notifications_at_github.com>
Reply-To: libssh2/libssh2
     <reply+0002b373b499828632a8d07d4465116c62ae0787ec7b465792cf00000001142792249
     2a169ce0b0a8ba7_at_reply.github.com>
To: libssh2/libssh2 <libssh2_at_noreply.github.com>
Subject: [libssh2/libssh2] Buffer overflow (#138)
I have tried  libssh2 with mbedtls. "AddressSanitizer" aborts the progress due a heap-buffer overflow:
````
=================================================================
==4888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000cad0 at pc 0x7f94e1993bec bp 0x7ffd2af357e0 sp 0x7ffd2af34f88
WRITE of size 384 at 0x61300000cad0 thread T0
     #0 0x7f94e1993beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
     #1 0xd7a240 in mbedtls_rsa_init mbedtls/rsa.c:71
     #2 0xecee57 in _libssh2_mbedtls_rsa_new ssh2/mbedtls.c:279
     #3 0xebbf5b in hostkey_method_ssh_rsa_init ssh2/hostkey.c:96
     #4 0xec3af4 in diffie_hellman_sha256 ssh2/kex.c:928
     #5 0xec8e2a in kex_method_diffie_hellman_group_exchange_sha256_key_exchange ssh2/kex.c:1657
     #6 0xeccaa9 in _libssh2_kex_exchange ssh2/kex.c:2542
     #7 0xede6f7 in session_startup ssh2/session.c:726
     #8 0xedec95 in libssh2_session_handshake ssh2/session.c:804
     #9 0xeded2e in libssh2_session_startup ssh2/session.c:823
     #10 0x10e2b24 in ssh2_session_init ssh.cpp:1386
     #11 0x10e389a in ssh2_connect ssh.cpp:1440
     #12 0xfbcfbc in update update.cpp:98
     #13 0xfbdb60 in main update.cpp:2195
     #14 0x7f94e000782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
     #15 0x40a358 in _start (update+0x40a358)
0x61300000cad0 is located 0 bytes to the right of 336-byte region [0x61300000c980,0x61300000cad0)
allocated by thread T0 here:
     #0 0x7f94e199f79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
     #1 0xecee36 in _libssh2_mbedtls_rsa_new ssh2/mbedtls.c:277
     #2 0xebbf5b in hostkey_method_ssh_rsa_init ssh2/hostkey.c:96
     #3 0xec3af4 in diffie_hellman_sha256 ssh2/kex.c:928
     #4 0xec8e2a in kex_method_diffie_hellman_group_exchange_sha256_key_exchange ssh2/kex.c:1657
     #5 0xeccaa9 in _libssh2_kex_exchange ssh2/kex.c:2542
     #6 0xede6f7 in session_startup ssh2/session.c:726
     #7 0xedec95 in libssh2_session_handshake ssh2/session.c:804
     #8 0xeded2e in libssh2_session_startup ssh2/session.c:823
     #9 0x10e2b24 in ssh2_session_init ssh.cpp:1386
     #10 0x10e389a in ssh2_connect ssh.cpp:1440
     #11 0xfbcfbc in update update.cpp:98
     #12 0xfbdb60 in main update.cpp:2195
     #13 0x7f94e000782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
````
-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/libssh2/libssh2/issues/138
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2016-10-25