fix libssh2 failing key re-exchange when write channel is saturated (#804155 )

avoid a crash of curl when downloading large files using SFTP (#802382 )
2012-03-16 18:59:04 +00:00 · 2012-03-12 13:50:31 +01:00
3 changed files with 103 additions and 2 deletions
--- a/libssh2-1.2.7-bz802382.patch
+++ b/libssh2-1.2.7-bz802382.patch
@ -0,0 +1,32 @@
+From be86f37814a3f80bb1e827be1e08e608d8f304f4 Mon Sep 17 00:00:00 2001
+From: Joey Degges <jdegges@gmail.com>
+Date: Tue, 21 Dec 2010 02:53:20 -0800
+Subject: [PATCH] _libssh2_ntohu64: fix conversion from network bytes to uint64
+
+Cast individual bytes to uint64 to avoid overflow in arithmetic.
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/misc.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/misc.c b/src/misc.c
+index e6c5e99..a5e540c 100644
+--- a/src/misc.c
+++ b/src/misc.c
+@@ -148,8 +148,10 @@ _libssh2_ntohu64(const unsigned char *buf)
+ {
+     unsigned long msl, lsl;
+ 
+-    msl = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
+-    lsl = (buf[4] << 24) | (buf[5] << 16) | (buf[6] << 8) | buf[7];
+    msl = ((libssh2_uint64_t)buf[0] << 24) | ((libssh2_uint64_t)buf[1] << 16)
+        | ((libssh2_uint64_t)buf[2] << 8) | (libssh2_uint64_t)buf[3];
+    lsl = ((libssh2_uint64_t)buf[4] << 24) | ((libssh2_uint64_t)buf[5] << 16)
+        | ((libssh2_uint64_t)buf[6] << 8) | (libssh2_uint64_t)buf[7];
+ 
+     return ((libssh2_uint64_t)msl <<32) | lsl;
+ }
+-- 
+1.7.1
+
--- a/libssh2-1.2.7-bz804155.patch
+++ b/libssh2-1.2.7-bz804155.patch
@ -0,0 +1,55 @@
+transport_send: Finish in-progress key exchange before sending data
+
+Backport of upstream commit cc4f9d5679278ce41cd5480fab3f5e71dba163ed
+
+_libssh2_channel_write() first reads outstanding packets before writing new
+data. If it reads a key exchange request, it will immediately start key
+re-exchange, which will require sending a response. If the output socket is
+full, this will result in a return from _libssh2_transport_read() of
+LIBSSH2_ERROR_EAGAIN. In order not to block a write because there is no data to
+read, this error is explicitly ignored and the code continues marshalling a
+packet for sending. When it is sent, the remote end immediately drops the
+connection because it was expecting a continuation of the key exchange, but got
+a data packet.
+    
+This change adds the same check for key exchange to _libssh2_transport_write()
+that is in _libssh2_transport_read(). This ensures that key exchange is
+completed before any data packet is sent.
+
+diff -up libssh2-1.2.7/src/transport.c.bz804155 libssh2-1.2.7/src/transport.c
+--- libssh2-1.2.7/src/transport.c.bz804155
+++ libssh2-1.2.7/src/transport.c
+@@ -312,7 +312,7 @@ int _libssh2_transport_read(LIBSSH2_SESS
+          * is done!
+          */
+         _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Redirecting into the"
+-                       " key re-exchange");
+                       " key re-exchange from _libssh2_transport_read");
+         rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state);
+         if (rc)
+             return rc;
+@@ -718,6 +718,24 @@ _libssh2_transport_write(LIBSSH2_SESSION
+     unsigned char *orgdata = data;
+     size_t orgdata_len = data_len;
+ 
+    /*
+     * If the last read operation was interrupted in the middle of a key
+     * exchange, we must complete that key exchange before continuing to write
+     * further data.
+     *
+     * See the similar block in _libssh2_transport_read for more details.
+     */
+    if (session->state & LIBSSH2_STATE_EXCHANGING_KEYS &&
+        !(session->state & LIBSSH2_STATE_KEX_ACTIVE)) {
+        /* Don't write any new packets if we're still in the middle of a key
+         * exchange. */
+        _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Redirecting into the"
+                       " key re-exchange from _libssh2_transport_write");
+        rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state);
+        if (rc)
+            return rc;
+    }
+
+     debugdump(session, "libssh2_transport_write plain", data, data_len);
+ 
+     /* FIRST, check if we have a pending write to complete */
--- a/libssh2.spec
+++ b/libssh2.spec
@ -1,12 +1,14 @@
 Name:           libssh2
 Version:        1.2.7
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        A library implementing the SSH2 protocol

 Group:          System Environment/Libraries
 License:        BSD
 URL:            http://www.libssh2.org
 Source0:        http://libssh2.org/download/libssh2-%{version}.tar.gz
+Patch0:         libssh2-1.2.7-bz802382.patch
+Patch1:         libssh2-1.2.7-bz804155.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires:  openssl-devel
@ -45,6 +47,12 @@ developing applications that use %{name}.
 %prep
 %setup -q

+# avoid a crash of curl when downloading large files using SFTP (#802382)
+%patch0 -p1
+
+# fix libssh2 failing key re-exchange when write channel is saturated (#804155)
+%patch1 -p1
+
 # make sure things are UTF-8...
 for i in ChangeLog NEWS ; do
    iconv --from=ISO-8859-1 --to=UTF-8 $i > new
@ -112,7 +120,13 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/*

 %changelog
-* Sat Jun 25 2011 Dennis Gilmore <dennis@ausil.us> - 1.2.7-2
+* Fri Mar 16 2012 Paul Howarth <paul@city-fan.org> 1.2.7-4
+- fix libssh2 failing key re-exchange when write channel is saturated (#804155)
+
+* Mon Mar 12 2012 Kamil Dudka <kdudka@redhat.com> 1.2.7-3
+- avoid a crash of curl when downloading large files using SFTP (#802382)
+
+* Sat Jun 25 2011 Dennis Gilmore <dennis@ausil.us> 1.2.7-2
 - sshd/loopback test fails in the sparc buildsystem

 * Tue Oct 12 2010 Kamil Dudka <kdudka@redhat.com> 1.2.7-1
Author	SHA1	Message	Date
Paul Howarth	9731aba4aa	fix libssh2 failing key re-exchange when write channel is saturated (#804155 )	2012-03-16 18:59:04 +00:00
Kamil Dudka	d77a1af0b7	avoid a crash of curl when downloading large files using SFTP (#802382 )	2012-03-12 13:50:31 +01:00