Discussion:
Possible bug
Giovanni Panozzo
2014-08-25 09:48:09 UTC
Permalink
Hi, I'm new on this list. I'm using libssh and I think I have found a
bug which crashes my program.

I'm posting here because the site red.libssh.org is currently broken.


In src/dh.c the call:

rc = ssh_buffer_pack(buf,
"dPdP",
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_client_pubkey,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_server_pubkey);

Is missing the data length parameter for "P"


Should it be ?

rc = ssh_buffer_pack(buf,
"dPdP",
CURVE25519_PUBKEY_SIZE,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_client_pubkey,
CURVE25519_PUBKEY_SIZE,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_server_pubkey);


Thank you
Giovanni
Andreas Schneider
2014-08-25 10:24:36 UTC
Permalink
Post by Giovanni Panozzo
Hi, I'm new on this list. I'm using libssh and I think I have found a
bug which crashes my program.
I'm posting here because the site red.libssh.org is currently broken.
rc = ssh_buffer_pack(buf,
"dPdP",
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_client_pubkey,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_server_pubkey);
Is missing the data length parameter for "P"
Should it be ?
rc = ssh_buffer_pack(buf,
"dPdP",
CURVE25519_PUBKEY_SIZE,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_client_pubkey,
CURVE25519_PUBKEY_SIZE,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_server_pubkey);
Yes, you're correct. Good catch! I've pushed a fix upstream.



-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
www.cryptomilk.org asn-***@public.gmane.org
Aris Adamantiadis
2014-08-25 20:04:49 UTC
Permalink
Hi Andreas,

Good fix, you didn't even forget the size_t cast.
It would be interesting to understand why we didn't catch this with an
automated test. Is it because the OpenSSH we use for nightly testing are
too old for Curve25519 kex?
Sometimes being ahead of OpenSSH isn't always an advantage :)

Aris
Post by Andreas Schneider
Post by Giovanni Panozzo
Hi, I'm new on this list. I'm using libssh and I think I have found a
bug which crashes my program.
I'm posting here because the site red.libssh.org is currently broken.
rc = ssh_buffer_pack(buf,
"dPdP",
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_client_pubkey,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_server_pubkey);
Is missing the data length parameter for "P"
Should it be ?
rc = ssh_buffer_pack(buf,
"dPdP",
CURVE25519_PUBKEY_SIZE,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_client_pubkey,
CURVE25519_PUBKEY_SIZE,
CURVE25519_PUBKEY_SIZE,
session->next_crypto->curve25519_server_pubkey);
Yes, you're correct. Good catch! I've pushed a fix upstream.
-- andreas
Loading...