Subject: Re: SIGSEGV if using patch "keyb-interactive: allow zero length fields"

Re: SIGSEGV if using patch "keyb-interactive: allow zero length fields"

From: Alfred Gebert <>
Date: Wed, 29 Jun 2011 13:39:20 +0200

On Wed, Jun 29, 2011 at 11:49 AM, Daniel Stenberg <> wrote:
> On Wed, 29 Jun 2011, Alfred Gebert wrote:
>>>> #2  0xb7b136d8 in userauth_keyboard_interactive (session=0x8084a40,
>>>> username=0x8084810 "agebert", username_len=7,
>>>>   response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1616
>>> At this point (userauth.c:1616), is session->userauth_kybd_data NULL or
>>> what
>>> does it point to?
>> session->userauth_kybd_data is _not_ NULL.
> Oh. Can you see from where it jumps to the cleanup label?

session->userauth_kybd_data is set to NULL on line userauth.c:1575.

And then modified here

(gdb) cont
Hardware watchpoint 4: session->userauth_kybd_data

Old value = (unsigned char *) 0x0
New value = (unsigned char *) 0x3 <Address 0x3 out of bounds>
_libssh2_htonu32 (buf=0x8091855 "", value=3) at misc.c:176
176 }
(gdb) where
#0 _libssh2_htonu32 (buf=0x8091855 "", value=3) at misc.c:176
#1 0xb7b0102a in _libssh2_store_u32 (buf=0xbfffdaf0, value=3) at misc.c:182
#2 0xb7b01061 in _libssh2_store_str (buf=0xbfffdaf0, str=0x80966c0
"e2e", len=3) at misc.c:190
#3 0xb7b13600 in userauth_keyboard_interactive (session=0x8084a78,
username=0x8083ef0 "agebert", username_len=7,
    response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1585
#4 0xb7b1390b in libssh2_userauth_keyboard_interactive_ex
(session=0x8084a78, user=0x8083ef0 "agebert", user_len=7,
    response_callback=0xb7e83840 <kbd_callback>) at userauth.c:1672
#5 0xb7e851d6 in ssh_statemach_act () from /home/agebert/local/lib/
#6 0xb7e87a32 in ssh_easy_statemach () from
#7 0xbfffec28 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

The five byte from session->userauth_buf are too small and
session->userauth_kybd_data is the next member after userauth_buf.

Received on 2011-06-29