Subject: sftp: Problem if received data is shorter than requested

sftp: Problem if received data is shorter than requested

From: Maxime Larocque <>
Date: Wed, 17 Oct 2012 10:21:55 -0400


While working around ticket 249 I have seen something that might
eventually lead to trouble.

In sftp.c, around line 1487, sftp_read():
             case SSH_FXP_DATA:
                 rc32 = _libssh2_ntohu32(data + 5);
                 if (rc32 > (data_len - 9))
                     return _libssh2_error(session,
                                           "SFTP Protocol badness");

                 if(rc32 != chunk->len) {
                     /* a short read does not imply end of file, but we must
                        adjust the offset_sent since it was advanced with a
                        full chunk->len before */
                     filep->offset_sent -= (chunk->len - rc32);

If the received length is shorter than requested, it just reduce the
filep->offset_sent. This is wrong, since offset_sent has already been
used to send requests. If this happens, the file will be missing a
chunk. What OpenSSH does in this case is to resend the request with the
missing length. I do not know if a lot of servers answers with data
shorter than requested...

It looks like old code, if the sftp code has passed from
one-request-at-a-time to multiple parallel requests.

I may have missed something in this case, so feel free to comment :-).

Maxime Larocque

Received on 2012-10-17