Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SFTP torture test 1459 segfault in OOM path #6764

Closed
bagder opened this issue Mar 20, 2021 · 0 comments
Closed

SFTP torture test 1459 segfault in OOM path #6764

bagder opened this issue Mar 20, 2021 · 0 comments
Assignees
@bagder
Labels
crash SCP/SFTP

Comments

@bagder
Copy link
Member

@bagder bagder commented Mar 20, 2021
edited

See build log

When libssh2_knownhost_init returns NULL we still use libssh2 in the disconnect call and then it segfaults, inside libssh2.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555677217 in _libssh2_transport_send (session=0x5555557a3e78, 
    data=0x5555557b0e00 "\001", data_len=21, data2=0x5555556a391d "", data2_len=0)
    at transport.c:892
892         ret = LIBSSH2_SEND(session, p->outbuf, total_length,
(gdb) bt
#0  0x0000555555677217 in _libssh2_transport_send (session=0x5555557a3e78, 
    data=0x5555557b0e00 "\001", data_len=21, data2=0x5555556a391d "", data2_len=0)
    at transport.c:892
#1  0x000055555566870f in session_disconnect (session=0x5555557a3e78, reason=11, 
    description=0x5555556a42b6 "Shutdown", lang=0x5555556a391d "") at session.c:1155
#2  0x0000555555668781 in libssh2_session_disconnect_ex (session=0x5555557a3e78, 
    reason=11, desc=0x5555556a42b6 "Shutdown", lang=0x5555556a391d "")
    at session.c:1175
#3  0x00005555555db48c in ssh_statemach_act (data=0x555555763968, 
    block=0x7fffffffd4b7) at vssh/libssh2.c:2750
#4  0x00005555555dbbbc in ssh_block_statemach (data=0x555555763968, 
    conn=0x5555557a37c8, duringconnect=false) at vssh/libssh2.c:2944
#5  0x00005555555dc816 in sftp_disconnect (data=0x555555763968, 
    conn=0x5555557a37c8, dead_connection=true) at vssh/libssh2.c:3442
#6  0x00005555555c5796 in Curl_disconnect (data=0x555555763968, 
    conn=0x5555557a37c8, dead_connection=true) at url.c:851
#7  0x00005555555a56e4 in multi_done (data=0x555555763968, 
    status=CURLE_FAILED_INIT, premature=true) at multi.c:658

I'm using libssh2 1.9.1-DEV from git master as of today.
@bagder bagder self-assigned this Mar 20, 2021
@bagder bagder changed the title SFTP torture test segfault in OOM path SFTP torture test 1459 segfault in OOM path Mar 20, 2021
bagder added a commit that referenced this issue Mar 20, 2021
@bagder
libssh2: clear session pointer after free
05f37c0 
If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
ssh session was freed but the pointer wasn't cleared which made libcurl
later call libssh2 to cleanup using the stale pointer.

Fixes #6764
Closes #
@bagder bagder mentioned this issue Mar 20, 2021
Closed
@bagder bagder closed this in 012c19c Mar 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
crash SCP/SFTP
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

libssh2: clear session pointer after free
1 participant
@bagder