Ticket #108 (closed defect)

Opened 8 years ago

Last modified 8 years ago

libssh2_channel_write with blocks >=16k cause corrupted MAC

Reported by: anonymous Owned by: bagder
Priority: normal Milestone:
Component: SCP Version:
Keywords: Cc: bagder
Blocked By: Blocks:


When I use libssh2_channel_write(), e. g. the example scp_write.c, with a block size of more than 10k some data is transmitted, but then suddenly after around
64k libssh2_channel_write() report the return code -1 and the error message says "Unable to send data". I traced it back to the call of send() which report EPIPE. On the remote side I see in the sshd-log:

sshd[2026]: Disconnecting: Corrupted MAC on input.

Thus is looks like the remote ssh-server cannot process the data send via libssh2 and close the connection.

This problem only occur when I use a block size of >10k (libssh2 v1.1), but the limit may depend. If I add some debug output it looks like other block sizes may work or not work, too. This problem looks like a race-condition.

Note: with libssh2 v0.18 this problem did not occur! I detected the problem when I switchedn from libssh2 v0.18 to v1.1 and an application with uses libssh2. After installation of the new libssh2 library the application could not send any data anymore. With libssh v0.18 the application still work well.

Change History

comment:1 Changed 8 years ago by bagder

Can you please retry with the current git code? We've taken precautions against this flaw now.

comment:2 Changed 8 years ago by sf-robot

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

Note: See TracTickets for help on using tickets.