Ticket #14 (closed defect)

Opened 11 years ago

Last modified 10 years ago

Seg Fault in Key Exchange

Reported by: sshattered Owned by:
Priority: normal Milestone:
Component: Version:
Keywords: Cc: sshattered, jehousley
Blocked By: Blocks:


Libssh2 Team,

Running against an ssh server: "SSH-2.0-lshd_1.4.1", in
an OpenSSH "no hostkey alg" state, libssh2 versions 12
and 13 (configure'd and built with defaults on Fedora
Core 3) seg faults repeatedly at kex.c line 946. No
prefs are used in the libssh2_kex_agree_hostkey
function. Debugging shows the "while" loop on line 931
passes the first two items of the array, ssh-rsa and
ssh-dss, but fails on the NULL array entry. All three
of the passes have "none" hostkeys and associated lengths.

stack is as follows:
#0 0x00c03ec8 in libssh2_kex_agree_hostkey
(session=0x9e5f728, kex_flags=2, hostkey=0x9e6c9d3
"none", hostkey_len=4) at kex.c:946
946 hostkeyp++;
(gdb) bt
#0 0x00c03ec8 in libssh2_kex_agree_hostkey
(session=0x9e5f728, kex_flags=2, hostkey=0x9e6c9d3
"none", hostkey_len=4) at kex.c:946
#1 0x00c0503b in libssh2_kex_exchange
(session=0x9e5f728, reexchange=0) at kex.c:996
#2 0x00c0b761 in libssh2_session_startup
(session=0x9e5f728, socket=4) at session.c:321

A malevolent server could be configured or emulated to
crash clients using libssh2 by passively listening and
exibiting the "no host key" behavior.

All network packet captures appear nominal and are
available on request. OpenSSH captures against the same
server are also available. Debug libssh2 traces of
libssh are also available on request.

A quick but perhaps inappropriate fix (to demonstrate)
may be made by adding
" int count=0; for(;count<2;count++)" to kex.c
2005-07-11 11:56 line 946. (This convention, the NULL
array stop, might possibly fail elseware as well.)
Applying this fix will allow this particular server to
exit the libssh2_session_startup() function with a
reported error, avoiding the failure. This fix does not
interfere with interactions over a large server set.


Sara G. this is in reference to the email containing
the same issue sent to polllita at your PECL address.

Change History

comment:1 Changed 11 years ago by sshattered

After looking over the code a bit I feel a change in kex.c
line 931 to:

while (*hostkeyp && (*hostkeyp)->name) {

would be perhaps in keeping with conventions.

(Just to be certain I isolated that section of code in a
test app and verified it.) It would be in keeping with
kexp, cryptp, macp, compp etc usage.

comment:2 Changed 10 years ago by jehousley

Committed by sarag: revision 1.10, Mon May 16 17:16:25 2005 UTC

Note: See TracTickets for help on using tickets.