libssh2_sftp_read() with maxlen of 8192 causes memory corruption #50
If you look at the log output above you can see that the libssh2 file pointer position started at 0. 8192 bytes were requested, 2768 were returned (it's always this number once problems begin), and the new file pointer after read has somehow jumped to 10960.
I compiled libssh2 and all of its dependencies as 64-bit DLL's using Visual Studio 2013. It's linking to OpenSSL 1.0.2d and zlib 1.2.8. All of my testing was done with Windows 7 x64. My sequence of actions is:
I can't provide a callstack because the memory corruption appears to be nuking it. All I get is an access violation at
I can confirm that some weird things happen if the buffer maxlen is much larger than 4k (7k works for me also, but 8k is too large). I end up in an infinite loop where libssh2_sftp_read() keeps returning 0 (in blocking mode).
I don't get any access violation however (also Win7 x64).
I have investigated this issue a little further (using example-sftp) on both of my libssh2 builds (Ubuntu 14.10 and Windows 7) at work.
Corrupted downloads happen (in both builds) if buffer_maxlen * 4 > MAX_SFTP_READ_SIZE. So with the current MAX_SFTP_READ_SIZE=30000, problems occur if buffer_maxlen>7500.
Edit: It is actually the "max_read_ahead" value in sftp.c that causes the issue. It is set to 4*buffer_size but if it exceeds MAX_SFTP_READ_SIZE things break.
As a workaround we could use max_read_ahead = MIN(MAX_SFTP_READ_SIZE, 4*buffer_size) until someone figures out the right solution here...