10 Jul 2012 18:15
#244: scp_send may transmit not initialised memory
#244: scp_send may transmit not initialised memory
--------------------------+--------------------
Reporter: torsten.rupp | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 1.4.0
Component: SCP | Version: 1.4.1
Keywords: scp_send | Blocked By:
Blocks: |
--------------------------+--------------------
In the function scp_send() the transmission function
_libssh2_channel_process_startup() may be called with a message size
larger than the actual initialised message buffer. This cause with e. g.
valgrind a warning that not initialised memory is used.
From my analysis this is the problem:
- at the beginning of then function scp_send() (line 787, scp.c)
_libssh2_shell_quotedsize() is called to detect the memory space needed
for session->scpRecv_command. This size is the _maximum_ size of the
encoded message.
session->scpSend_command_len =
_libssh2_shell_quotedsize(path) + sizeof("scp -t ") +
((mtime || atime)?1:0);
- the memory is allocated (line 791, scp.c)
- the message content is formated with a snprintf()-call (line 799, scp.c)
snprintf((char *)session->scpSend_command,
(Continue reading)
RSS Feed