Subject: Re: Core dump when authentication fails?

Re: Core dump when authentication fails?

From: Daniel Stenberg <>
Date: Mon, 30 May 2011 10:35:06 +0200 (CEST)

On Sun, 29 May 2011, Saqib Ali wrote:

> Cross posted from:

Allow me to it-iterate here what I mention on the libcurl list: that check is
libcurl's way to detect problems in libcurl and not necessarily an error when
made by "others" such as libssh2. Also, the assert() you see in libcurl is
only present when you build libcurl debug-enabled and thus it will behave
differently if you build a "normal" build.

I do however think it is a REALLY bad idea to malloc() zero bytes (because we
can't rely on the return code) so we should correct libssh2 to not do that.

I guess the code for the keyboard-interactive auth must not assume that the
data that arrives actually has non-zero lengths.

> Has anyone else seen this behavior? What is the correct expected behavior
> when the user authentication fails?

Please don't assume that people on this list knows about libcurl or cares
about it to any particular extent. This list is about libssh2.

Received on 2011-05-30