File: userauth.c
Credit:
Etienne Samson
Notes:
Caught by ASAN:
=================================================================
==73797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700001bcf0 at pc 0x00010026198d bp 0x7ffeefbfed30 sp 0x7ffeefbfe4d8
READ of size 69 at 0x60700001bcf0 thread T0
2019-07-04 08:35:30.292502+0200 atos[73890:2639175] examining /Users/USER/*/libssh2_clar [73797]
#0 0x10026198c in wrap_memchr (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f98c)
#1 0x1000f8e66 in file_read_publickey userauth.c:633
#2 0x1000f2dc9 in userauth_publickey_fromfile userauth.c:1513
#3 0x1000f2948 in libssh2_userauth_publickey_fromfile_ex userauth.c:1590
#4 0x10000e254 in test_userauth_publickey__ed25519_auth_ok publickey.c:69
#5 0x1000090c3 in clar_run_test clar.c:260
#6 0x1000038f3 in clar_run_suite clar.c:343
#7 0x100003272 in clar_test_run clar.c:522
#8 0x10000c3cc in main runner.c:60
#9 0x7fff5b43b3d4 in start (libdyld.dylib:x86_64+0x163d4)
0x60700001bcf0 is located 0 bytes to the right of 80-byte region [0x60700001bca0,0x60700001bcf0)
allocated by thread T0 here:
#0 0x10029e053 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c053)
#1 0x1000b4978 in libssh2_default_alloc session.c:67
#2 0x1000f8aba in file_read_publickey userauth.c:597
#3 0x1000f2dc9 in userauth_publickey_fromfile userauth.c:1513
#4 0x1000f2948 in libssh2_userauth_publickey_fromfile_ex userauth.c:1590
#5 0x10000e254 in test_userauth_publickey__ed25519_auth_ok publickey.c:69
#6 0x1000090c3 in clar_run_test clar.c:260
#7 0x1000038f3 in clar_run_suite clar.c:343
#8 0x100003272 in clar_test_run clar.c:522
#9 0x10000c3cc in main runner.c:60
#10 0x7fff5b43b3d4 in start (libdyld.dylib:x86_64+0x163d4)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f98c) in wrap_memchr
Shadow bytes around the buggy address:
0x1c0e00003740: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
0x1c0e00003750: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
0x1c0e00003760: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
0x1c0e00003770: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c0e00003780: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x1c0e00003790: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[fa]fa
0x1c0e000037a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000037b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000037c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000037d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000037e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
file : openssl.c
notes :
libssh2's openssl backend has a use-after-free condition if HAVE_OPAQUE_STRUCTS is defined and you call libssh2_init() again after prior initialisation/deinitialisation of libssh2
credit : Thilo Schulz
File : openssl.h
Notes :
LIBSSH2_ECDSA and LIBSSH2_ED25519 are always defined so the #ifdef
checks would never be false.
This change makes it possible to build libssh2 against OpenSSL built
without EC support.
Change-Id: I0a2f07c2d80178314dcb7d505d1295d19cf15afd
Credit : axjowa
Files : agent.c
Notes :
Currently the error details as returned by agent_transact_pageant() are overwritten by a generic "agent list id failed" message by int agent_list_identities(LIBSSH2_AGENT* agent).
Credit :
Zenju
Files : kex.c, misc.c, misc.h
Notes :
Fixed possible out of bounds memory access when reading malformed data in diffie_hellman_sha1() and diffie_hellman_sha256().
Added _libssh2_copy_string() to misc.c to return an allocated and filled char buffer from a string_buf offset. Removed no longer needed s var in kmdhgGPshakex_state_t.
Files : misc.c, hostkey.c, kex.c, misc.h, openssl.c, sftp.c
Notes :
* updated _libssh2_get_bignum_bytes and _libssh2_get_string. Now pass in length as an argument instead of returning it to keep signedness correct. Now returns -1 for failure, 0 for success.
_libssh2_check_length now returns 0 on success and -1 on failure to match the other string_buf functions. Added comment to _libssh2_check_length.
Credit : Will Cosgrove
file : sftp.c
notes : when sftp_packet_read() encounters an sftp packet which exceeds SFTP max packet size it now resets the reading state so it can continue reading.
credit : Zhen-Huan HWANG
File : agent.c
Notes :
Libssh2 uses the SSH_AUTH_SOCK env variable to read the system agent location. However, when using a custom agent path you have to set this value using setenv which is not thread-safe. The new functions allow for a way to set a custom agent socket path in a thread safe manor.
If we clear the entire field, the freeing of data in session_free() is
skipped. Instead just clear the bit that risk making the code get stuck
in the transport functions.
Regression from 4d66f6762ca3fc45d9.
Reported-by: dimmaq on github
Fixes#338Closes#340
The stale bot will automatically mark stale issues (inactive for 90
days) and if still untouched after 21 more days, close them.
See https://probot.github.io/apps/stale/
