Crashes with libssh2_userauth_keyboard_interactive_ex #6691
We got reports about crashes with recent CURL update and libssh2_userauth_keyboard_interactive_ex function.
Doing SFTP with LibSSH2 and OpenSSL causes a crash if no username/password is set.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
Not sure what change in 7.75 causes this.
Sadly it looks like strdup and strlen are set.
Anyone seen this, too?
The text was updated successfully, but these errors were encountered:
We patched libssh2.c ourselves with those changes to check for NULL pointer:
In kbd_callback function:
So we added check with ? For whether variable is NULL.
And later in ssh_statemach_act:
We also got NULL checks before passing values:
In may be better to earlier check this once and set to empty string if it is NULL.
Could someone confirm the problem and maybe include the changes for future releases?
Note there are several other places in libcurl's libssh2.c where it assumes conn->user is not NULL and does strlen(conn->user). libssh2 code in libssh2_userauth_password_ex passes around username and password parameters to functions that check for NULL, though I notice the documentation doesn't explicitly state they may be NULL.
For the keyboard callback it looks like we are assuming not NULL as well for conn->passwd. The LIBSSH2_USERAUTH_KBDINT_RESPONSE is not documented, though it is used in a number of examples. I'm not sure of the right behavior, and none of the examples I saw set response to NULL.
That uses empty strings instead of NULL, but as Will noted you can pass NULL. Basically all the strlen(conn->user) or strlen(conn->passwd) need to be checked before passing to strlen and I think that's it, unless you are getting a null deref inside libssh2.
I don't know that anything did. You could do a bisect to find that out.