Curl: sftp segfault with macOS curl 7.69.0

Created on 5 Mar 2020  路  5Comments  路  Source: curl/curl

I did this

usr/local/bin/curl -u : sftp://test.rebex.net:22 -l --verbose

or

/usr/local/bin/curl -u : sftp://itcsubmit.wustl.edu -l

and got a segfault

I expected the following

not to segfault ;)

curl/libcurl version

curl 7.69.0-DEV (Darwin) libcurl/7.69.0-DEV OpenSSL/1.0.2s zlib/1.2.11 libssh2/1.9.0_DEV nghttp2/1.26.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM SSL UnixSockets

operating system

macOS Mojave

SCSFTP crash
Source
picture xquery

All 5 comments

~
Program received signal SIGSEGV, Segmentation fault.
ssh_force_knownhost_key_type (conn=0x55555574fae8) at vssh/libssh2.c:697
697 if(store->name[0] == '[') {
(gdb) p store
$1 = (struct libssh2_knownhost ) 0x5555557aad80
(gdb) p store->name
$2 = 0x0
~
The struct in question is documented in libssh2.h:
~
struct libssh2_knownhost {
unsigned int magic; / magic stored by the library /
void *node; / handle to the internal representation of this host /
char *name; / this is NULL if no plain text host name exists /
char *key; / key in base64/printable format */
int typemask;
};
~
and it specifically says it can be NULL so our code is just not correct!

bagder picture bagder on 5 Mar 2020
👍1

(This is a regression from #4747 by @SantinoKeupp)

bagder picture bagder on 7 Mar 2020

Can reproduce on 0a04dc4d5d775402f2e3cdc192c3aadb2e9c4857

curl 7.69.1-DEV (x86_64-pc-linux-gnu) libcurl/7.69.1-DEV OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM NTLM_WB PSL SSL TLS-SRP UnixSockets

On 7.64.0

curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

I get the error that the SSL cert is bad. If I pass -K it also segfault but different

emilengler picture emilengler on 8 Mar 2020

thx - the fix is straightforward eg. check for null in vssh/libssh2.c:697 (which as @bagder pointed out was added in #4747 and caused the regression)... building out the test is most of the work eg. I also want to include a few representative known_hosts files (with and without corrupted entries) - will have PR ready for review tomorrow.

xquery picture xquery on 8 Mar 2020
👍1

Thanks. Feel free to ping me for review!

emilengler picture emilengler on 8 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gaul picture gaul  路  6Comments
HRK44 picture HRK44  路  5Comments
ecnepsnai picture ecnepsnai  路  4Comments
iammrtau picture iammrtau  路  4Comments
SoniEx2 picture SoniEx2  路  4Comments