libssh2 Trac | 27 Feb 10:14 2015

#294: DoS condition: read from unmapped memory region causes libssh2 to crash

#294: DoS condition: read from unmapped memory region causes libssh2 to crash
 Reporter:  mzet      |       Owner:
     Type:  defect    |      Status:  new
 Priority:  high      |   Milestone:  1.4.3
Component:  protocol  |     Version:
 Keywords:  security  |  Blocked By:
   Blocks:            |
 Affected are versions 1.4.3 and latest development version.


 Specifically crafted input from ssh server causes read access from
 unmapped memory region resulting in crash (Segmentation fault) and causing
 denial of service condition.

 Valgrind output:
 ==3670== Process terminating with default action of signal 11 (SIGSEGV)
 ==3670==  Access not within mapped region at address 0x6AA107D8
 ==3670==    at 0x4087DB: _libssh2_ntohu32 (misc.c:163)
 ==3670==    by 0x419E62: kex_agree_methods (kex.c:1583)
 ==3670==    by 0x41A5CB: _libssh2_kex_exchange (kex.c:1749)
 ==3670==    by 0x40C964: session_startup (session.c:723)
 ==3670==    by 0x40CC04: libssh2_session_handshake (session.c:801)
 ==3670==    by 0x402BCE: main (ssh2.c:118)

 The issue is caused by following code in kex.c:kex_agree_methods(...)
(Continue reading)

Daniel Stenberg | 21 Feb 23:48 2015

Ok, let's talk release again. For real.


Do anyone have any stuff that should go in before a release? And then I mean 
something you yourself plan to fix within a week or so.



Srikanth Bemineni | 17 Feb 07:29 2015

LIBSSH2 random crash in openssl library


We are seeing this random crash in libssh2 while copying files in a multi threaded application. Our application is threaded application, and each file transfer happens in its own thread. Each thread creates its own libssh2 session and a channel to transfer the file. Occasionally we see this random crash in openssl library. Below is the stack trace of the crash.

               some_application.exe!sha1_block_data_order()  + 0x2b5c bytes     
               some_application.exe!SHA1_Update(SHAstate_st * c, const void * data_, unsigned __int64 len)  Line 326        C
               some_application.exe!update(env_md_ctx_st * ctx, const void * data, unsigned __int64 count)  Line 78 + 0x34 bytes      C
               some_application.exe!EVP_DigestUpdate(env_md_ctx_st * ctx, const void * data, unsigned __int64 count)  Line 252               C
               some_application.exe!ssleay_rand_bytes(unsigned char * buf, int num, int pseudo, int lock)  Line 499                C
               some_application.exe!ssleay_rand_nopseudo_bytes(unsigned char * buf, int num)  Line 542            C
               some_application.exe!RAND_bytes(unsigned char * buf, int num)  Line 165 + 0x11 bytes      C
               some_application.exe!_libssh2_transport_send(_LIBSSH2_SESSION * session, const unsigned char * data, unsigned __int64 data_len, const unsigned char * data2, unsigned __int64 data2_len)  Line 820             C
               some_application.exe!_libssh2_channel_write(_LIBSSH2_CHANNEL * channel, int stream_id, const unsigned char * buf, unsigned __int64 buflen)  Line 2060 + 0x46 bytes               C
               some_application.exe!libssh2_channel_write_ex(_LIBSSH2_CHANNEL * channel, int stream_id, const char * buf, unsigned __int64 buflen)  Line 2109 + 0x24 bytes   C
               some_application.exe!Ssha::scp_write_file(QString * local_path, _LIBSSH2_CHANNEL * channel_new)  Line 761 + 0x1b bytes   C++
>              some_application.exe!Ssha::PutFile(QString * local_path, QString * remote_path)  Line 854 + 0x4a bytes     C++

When I look at the session errmsg  Its says "Unable to send channel data" with errcode LIBSSH2_ERROR_EAGAIN

The locking mechanism is also in place for open ssl. We did check that openssl global data is locked and released by the mutex. Is there anything that we are missing from the  libssh2 perspective ?



void locking_function(int mode, int n, const char *file, int line)
    if (mode & CRYPTO_LOCK)
        if(mutex_buf[n] != NULL)
        if(mutex_buf[n] != NULL)

unsigned long id_function()
    return (unsigned long)QThread::currentThreadId();

void Cb_function(CRYPTO_THREADID *id)
  CRYPTO_THREADID_set_numeric(id, (unsigned long)QThread::currentThreadId());

bool CRYPTO_thread_setup()
  int i;
  int num = CRYPTO_num_locks();
    for (i = 0; i < num; i++)
      lock_count[i] = 0;
      mutex_buf[i] = new QMutex(QMutex::NonRecursive);
  return true;

void CRYPTO_thread_cleanup()
  int i;
  int num = CRYPTO_num_locks();
  if(crypto_initialized != 0)
    for (i = 0; i < num; i++)
    crypto_initialized = 0;

I see a similar issue reported as a bug in  . The resolution says adding libssh2_init(0); fixed the issue. This has already been taken care in our code, but we still see the crash.

Srikanth Bemineni
Nava Whiteford | 16 Feb 16:23 2015

libssh2 in Javascript

Hi all,

Over the past few weeks I've been playing with libssh2 and Emscripten in order to port libssh2 to Javascript. I don't know if this has been done before, but it was an interesting project for me. I've released a proof of concept web based ssh client here:

I'd recommend the "Eliza" demo to get an idea of how well it works, other connections are routed over Tor. The code is also available in github:

Though I'm sure it's quite cringe-worthy. However I wanted to push it out and see if anyone else is interested in it before devoting further time to the project.

Comments most welcome off-list (or if appropriate on-list).


Yoichiro Tanaka | 26 Jan 12:49 2015

Using libssh2_sftp_* functions in multi-threading environment

Hi there,

I'm developing my application to access SFTP server with libssh2. And, I want to give an ability to access the SFTP server from multi-threads to the application, for example, downloading some files simultaneously.

I have some questions about how to use libssh2_sftp_* functions.

(1) Are "libssh2_sftp_*" functions thread-safe?

(2) If yes, what is a value to issue for each thread? Do I need to issue a sftp_session value issued by the libssh2_sftp_init() function for each thread? Or, Can I share the sftp_session value with all threads? That is, do I need to issue a sftp_handle value issued by the libssh2_sftp_open(dir) for each thread with the same value of the sftp_session?

(3) If a lock (ex. mutex) is necessary, where I should apply the lock against my code? From the libssh2_sftp_init() calling to the reading file with the all libssh2_sftp_read() calling? Or, each API calling?

(4) Is there any sample code to use libssh2 in  the multi-threading environment?

Thank you for your advice.

Will Cosgrove | 13 Jan 01:29 2015

diffie-hellman-group-exchange-sha256 key exchange

Hi All,
I’m adding diffie-hellman-group-exchange-sha256 support and have it working.  However, if I am to
submit this patch back to the project I have a couple code style questions.

First, kmdhgGPsha1kex_state_t is coded to be specific to sha1.  No big deal I thought, I could add a sha256
version.  However that leads to key_exchange_state_low_t which is included in key_exchange_state_t. 
So now we’re duplicating three structs and causing a lot of branching, not so great. 

At that point, I decided to change kmdhgGPsha1kex_state_t to support sha256. The following changes were made:

unsigned char h_sig_comp[SHA256_DIGEST_LENGTH]; //SHA1_DIGEST_LENGTH

//libssh2_sha1_ctx exchange_hash;
EVP_MD_CTX exchange_hash;

This isn’t so hot as it hard-codes openssl support instead of using the libssh2_sha1_ctx macro.  On the
flip side, creating three new structures for a couple calls seems excessive.  

Anyone out there have opinions on how to proceed?

libssh2 Trac | 16 Dec 22:41 2014

#293: error in direct_tcpip.c example

#293: error in direct_tcpip.c example
 Reporter:  bbo       |       Owner:
     Type:  defect    |      Status:  new
 Priority:  normal    |   Milestone:  1.5.0
Component:  examples  |     Version:  1.4.2
 Keywords:            |  Blocked By:
   Blocks:            |
 The example direct_tcpip.c doesn't take care of EAGAIN case return by
 libssh2_channel_write. This can lead to non transmitted file when this
 error is raised, while this should just delay the transmission because the
 socket are busy.
 To see the error, just run a process with high priority on the receiver of
 data trasnmitted through the libssh2_channel_write.
 Solution is just to retry the call to libssh2_channel_write one (or
 several) other time.

 Here under is the current code taken from the git repo today:
 Git repo code:

 wr = 0;
 do {
   i = libssh2_channel_write(channel, buf, len);
   if (i < 0) {
     fprintf(stderr, "libssh2_channel_write: %d\n", i);
     goto shutdown;
   wr += i;
 } while(i > 0 && wr < len);

 Code patched:
 wr = 0;
 do {
   i = libssh2_channel_write(channel, buf, len);
   if (i >= 0)
     wr += i;
   else if(i == LIBSSH2_ERROR_EAGAIN)
     fprintf(stderr, "libssh2_channel_write: LIBSSH2_ERROR_EAGAIN, retry to
   else {
     fprintf(stderr, "libssh2_channel_write: %d\n", i);
     goto shutdown;
 } while(wr < len);


Ticket URL: <>
libssh2 <>
C library for writing portable SSH2 clients

Marc Hörsken | 15 Dec 12:26 2014

[PATCH] silence multiple data conversion warnings

Hello everyone,

attached you will find a patch to silence multiple compiler warnings about invalid data conversions with
possible data loss using the VS2012 compiler.

Since these are quite a lot of small changes, I would like someone else to review and push it to the repository.

Thanks in advance.

Best regards,

Marc Hoersken | 15 Dec 01:32 2014

Additional questions related to my fixes of possible NULL pointer de-references

Hello everyone,

I just posted a bunch of patches to the Git repository that are the
result of running the code analysis feature of VS2012 against libssh2
using the new CMake generated project files.

Most of them are quite basic, but at least the following two patches
raise additional questions that I would like to bring to your attention:
- kex.c: fix possible NULL pointer de-reference with session->kex [1]
- packet.c: fix possible NULL pointer de-reference within listen_state [2]

I think that just catching the possible NULL pointer in those code paths
is actually not enough to make libssh2 behave correctly.
In my opinion some kind of error code needs to be raised if such an
error condition is reached.

What do you think? Patches and ideas are welcome.

Best regards,


Alexander Lamaison | 6 Dec 01:34 2014


You may recall that back in March I promised to convert the libssh2
build system to CMake 'soon'.  Well, 9 months later, it is more or
less complete:  I
would greatly appreciate your feedback and help with testing on the
platforms that matter to you.

The goal is to match or exceed every relevant feature of the autotools
system like-for-like, so, unless otherwise stated in this email,
assume that any missing functionality is a bug.  Please report it.

CMake, however, is fundamentally different from autotools, so some
features (for example, building source distributions, aka `make dist`)
aren't relevant anymore and aren't specifically catered for.  The
README should get you started but, if you need help getting accustomed
to CMake, I'm very happy to answer any questions you have.

- A version of libssh2 using CMake is available at
- Please test

Platform support

I've tested the build with the three major platforms, Linux (GCC
4.6.3, Clang 3.4), Windows (VS2005, VS2008) and MacOS X (AppleClang
6.0.0), in a variety of configurations.  I've also set up continuous
integration using Travis CI [2], so libssh2 is continually tested on
Linux in 32 combinations of OpenSSL/Libgrypt, 32-bit/64-bit,
GCC/Clang, shared/static, with/without zlib.

I've not been able to test with VMS or Netware, two of the more
unusual platforms that we support.  I don't have access to that kind
of hardware, so any help testing would be greatly appreciated.


If you are wondering what benefits this change brings, there is plenty
of discussion about this out there about the merits of CMake, but the
main reasons that it makes sense for libssh2 are:

1) We were trying (failing?) to maintain build files by hand for
   non-autotool platforms such as Windows.  As well as being a waste
   of effort, these custom jobds rarely kept up with libssh2
   development.  For example, they are hardcoded to use OpenSSL even
   though libssh2 supports multiple crypto backends.  Using CMake we
   are now able to build libssh2 for all the common platforms and
   crypto backends using a single build configuration.  When it is
   updated to accomodate a new feature, all platforms feel the
   benefit simultaneously.

2) Even if we supported your _platform_, our build setup restricted
   your choice of development environment to GNU Makefiles on Unix or
   Visual Studio 6 on Windows.  Using CMake we can now generate the
   necessary files for your choosen environment: GNU Makefiles, Visual
   Studio 2005-2014, Xcode, Eclipse CDT ... and many more [1].

3) CMake makes it easy to automatically fetch and build a projects as
   a component of a larger CMake project.  This a big deal for a

4) For better or worse, CMake has won the latest war of the C/C++
   build systems.  This makes it the focus of new innovation and the
   support community is very active.  As more and more projects are
   adopting it, they can take advantage of 3).

What doesn't work yet?

I've already mentioned that I've not been able to test VMS or Netware,
so I'm going to assume that doesn't work simply because I've not done
anything with the code in the `vms` and `nw` directories yet.  It's
possible that that code is redunant for CMake but, if not, I'll adjust
the build files if a VMS/Netware user can explain to me what they

Compiling with OpenWatcom works but I'm having trouble linking against
OpenSSL.  Using WinCNG also doesn't compile and it seems to be a SDK
issue.  Can anyone familiar with that compiler help me understand what
extra steps are necessary?  Another issue with OpenWatcom is that
version 1.9 doesn't work if CMake is installed in a path containing
spaces or parentheses.  The bug is with the compiler, but I've filed a
CMake issue to request a workaround [3].

Libssh2 inherited some complex compiler warning settings from cURL.
I've not ported this to CMake yet because I want to understand the
goal first, so that I can do this in a cross-platform way.  For now,
I've turned on -Wall or /W4.  Would anyone like other warnings
enabled?  If so, which?

Any changes committed to develop since I branched are not yet
integrated into the cmake branch.  That's the next job.

Thanks for listening.  Fire away.




Swish - Easy SFTP for Windows Explorer (
Niels Larsen | 4 Dec 20:36 2014

gcc -V causes ubuntu 14.04 compile failure?

Libssh2 people,

On stock Ubuntu 14.04 (Linux 64 bit) I get:

~/BION/Software/Package_sources/Utilities/libssh2-1.4.3> ./configure 
checking whether to enable maintainer-specific portions of Makefiles...
checking for sed... /bin/sed
checking for a BSD-compatible
install... /home/bion/BION/Software/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir
-p... /home/bion/BION/Software/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking libssh2 version... 1.4.3
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
configure: autobuild project... libssh2
configure: autobuild revision... 1.4.3
configure: autobuild hostname... bion-VirtualBox
configure: autobuild timestamp... 20141204-202652
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in
configure: error: C compiler cannot create executables
See `config.log' for more details

and config.log is attached. It looks as if gcc is given the -V argument,
gcc does not understand anymore. The latest daily snapshot (december 4)
behaves the same. Can someone tell me where to edit if there is an easy 
fix, or better, post an update with the fix?

Niels L

Attachment (config.log): text/x-log, 10 KiB