Subject: RE: libssh2_channel_write_ex may incorrectly return EAGAIN

RE: libssh2_channel_write_ex may incorrectly return EAGAIN

From: Mark Riordan <mriordan_at_ipswitch.com>
Date: Sat, 13 Nov 2010 10:45:12 -0600

Daniel:
> I'm sure these flaws also affect Mark Riordan's case and explains
> some/all of the resends he has seen.

My program now terminates with an access violation (segfault to you
UNIX types) after a few writes. Access vios occur at various places:

  msvcr90d.dll!memcpy(unsigned char * dst=0x009c41c2, unsigned char *
src=0x009d501e, unsigned long count=32700) Line 271 Asm
> sftpmrr.exe!_libssh2_transport_send(_LIBSSH2_SESSION * session=0x009c0068,
const unsigned char * data=0x009cef68, unsigned int data_len=9, const
unsigned char * data2=0x009d501e, unsigned int data2_len=32700) Line 739 +
0x1b bytes C
  sftpmrr.exe!channel_write(_LIBSSH2_CHANNEL * channel=0x009ced60, int
stream_id=0, const unsigned char * buf=0x009d501e, unsigned int
buflen=32700) Line 2050 + 0x2b bytes C
  sftpmrr.exe!_libssh2_channel_write(_LIBSSH2_CHANNEL * channel=0x009ced60,
int stream_id=0, const unsigned char * buf=0x009d501e, unsigned int
buflen=4294963267) Line 2140 + 0x15 bytes C
  sftpmrr.exe!sftp_write(_LIBSSH2_SFTP_HANDLE * handle=0x003bf380, const
char * buffer=0x0011f9cc, unsigned int count=0) Line 1504 + 0x20 bytes C
  sftpmrr.exe!libssh2_sftp_write(_LIBSSH2_SFTP_HANDLE * hnd=0x003bf380,
const char * buffer=0x00117ad8, unsigned int count=32500) Line 1607 + 0x11
bytes C
  sftpmrr.exe!doMain(struct_settings settings={...}) Line 442 + 0x21 bytes
C++
  sftpmrr.exe!main(int argc=10, char * * argv=0x003b7028) Line 520 + 0x25
bytes C++

This is in a call to memcpy in transport.c line 739, in
_libssh2_transport_send:

    if(data2 && data2_len)
        memcpy(&p->outbuf[5+data_len], data2, data2_len);

Looking at variables:
? data_len
9
? data2_len
32700
---------------
I noticed this in the trace log in a second run (of a release buld)
that simply terminated with no explanation:
[libssh2] 0.848116 SFTP: Asking for 101 packet
[libssh2] 0.848116 SFTP: Got 101
[libssh2] 0.848116 Conn: Writing -4029 bytes on channel 0/0, stream #0
[libssh2] 0.848116 Conn: Sending 32700 bytes on channel 0/0, stream_id=0
=> libssh2_transport_write plain (9 bytes)
0000: 5E 00 00 00 00 00 00 7F BC : ^........
=> libssh2_transport_write plain2 (32700 bytes)
0000: 3C 00 28 02 3C 00 28 02 3C 00 30 02 3C 00 30 02 : <.(.<.(.<.0.<.0.
----------------
On a later run with tracing enabled, it blew up at
transport.c line 89 in debugdump:
            if (i + c < size) {
                buffer[used++] = hex_chars[(ptr[i+c] >> 4) & 0xF];
The error was in reading memory at 0x003c3000.

?used
12
?i
14400
?c
2
?width
16
?size
32700
?ptr
0x003bf7be

I uploaded the trace log from this last run to:
http://trac.libssh2.org/attachment/ticket/197/2010-11-13-access-vio.zip

I am going to be busy most of the rest of the day, but
I may take a deeper look at this later.

Thanks!

Mark

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-11-13