From 3893140b1ff88d70407d5ab902022ab36d7305d7 Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Mon, 23 Mar 2015 22:47:46 +0100
Subject: [PATCH 1/5] scp.c: fix that scp_send may transmit not initialised
memory
Fixes ticket 244. Thanks Torsten.
Upstream-commit: b99204f2896b0cdafa3ecc0736f0252ce44c32c7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/scp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/scp.c b/src/scp.c
index 63d181e..2f92804 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -801,12 +801,18 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
cmd_len = strlen((char *)session->scpSend_command);
+ memset(&session->scpSend_command[cmd_len], 0,
+ session->scpSend_command_len - cmd_len);
+
(void)shell_quotearg(path,
&session->scpSend_command[cmd_len],
session->scpSend_command_len - cmd_len);
session->scpSend_command[session->scpSend_command_len - 1] = '\0';
+ session->scpSend_command_len =
+ strlen((char *)session->scpSend_command);
+
_libssh2_debug(session, LIBSSH2_TRACE_SCP,
"Opening channel for SCP send");
/* Allocate a channel */
--
2.13.5
From 2ecb8c5d6e116fcc71a31360115c9c2b4b0ca1d2 Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Mon, 23 Mar 2015 23:04:24 +0100
Subject: [PATCH 2/5] scp.c: fix that scp_recv may transmit not initialised
memory
Upstream-commit: 1e7988cb0d8dae32148b04dd93e919a770599f30
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/scp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/scp.c b/src/scp.c
index 2f92804..d0c0d26 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -299,10 +299,17 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb)
cmd_len = strlen((char *)session->scpRecv_command);
+ memset(&session->scpRecv_command[cmd_len], 0,
+ session->scpRecv_command_len - cmd_len);
+
(void) shell_quotearg(path,
&session->scpRecv_command[cmd_len],
session->scpRecv_command_len - cmd_len);
+ session->scpRecv_command[session->scpRecv_command_len - 1] = '\0';
+
+ session->scpRecv_command_len =
+ strlen((char *)session->scpRecv_command);
_libssh2_debug(session, LIBSSH2_TRACE_SCP,
"Opening channel for SCP receive");
--
2.13.5
From 5b23e9e9875302791f5c190cf0e4f61fd9879ff0 Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Mon, 23 Mar 2015 23:05:41 +0100
Subject: [PATCH 3/5] scp.c: improved and streamlined formatting
Upstream-commit: 2d59b41daa3925645a26e6406fc318e6c2bfaae6
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/scp.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/scp.c b/src/scp.c
index d0c0d26..30d46af 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -295,16 +295,17 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb)
}
snprintf((char *)session->scpRecv_command,
- session->scpRecv_command_len, "scp -%sf ", sb?"p":"");
+ session->scpRecv_command_len,
+ "scp -%sf ", sb?"p":"");
cmd_len = strlen((char *)session->scpRecv_command);
memset(&session->scpRecv_command[cmd_len], 0,
session->scpRecv_command_len - cmd_len);
- (void) shell_quotearg(path,
- &session->scpRecv_command[cmd_len],
- session->scpRecv_command_len - cmd_len);
+ (void)shell_quotearg(path,
+ &session->scpRecv_command[cmd_len],
+ session->scpRecv_command_len - cmd_len);
session->scpRecv_command[session->scpRecv_command_len - 1] = '\0';
@@ -797,13 +798,16 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
session->scpSend_command =
LIBSSH2_ALLOC(session, session->scpSend_command_len);
+
if (!session->scpSend_command) {
_libssh2_error(session, LIBSSH2_ERROR_ALLOC,
- "Unable to allocate a command buffer for scp session");
+ "Unable to allocate a command buffer for "
+ "SCP session");
return NULL;
}
- snprintf((char *)session->scpSend_command, session->scpSend_command_len,
+ snprintf((char *)session->scpSend_command,
+ session->scpSend_command_len,
"scp -%st ", (mtime || atime)?"p":"");
cmd_len = strlen((char *)session->scpSend_command);
--
2.13.5
From fc0d9df034e8701cdcf6c24fd40b1dbc8bc3e084 Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Mon, 23 Mar 2015 23:17:31 +0100
Subject: [PATCH 4/5] scp.c: improved command length calculation
Reduced number of calls to strlen, because shell_quotearg already
returns the length of the resulting string (e.q. quoted path)
which we can add to the existing and known cmd_len.
Removed obsolete call to memset again, because we can put a final
NULL-byte at the end of the string using the calculated length.
Upstream-commit: 3d3347c0625ce29b5581a0aa45e6e3be580769f1
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/scp.c | 32 ++++++++++----------------------
1 file changed, 10 insertions(+), 22 deletions(-)
diff --git a/src/scp.c b/src/scp.c
index 30d46af..f3d4995 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -299,18 +299,12 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb)
"scp -%sf ", sb?"p":"");
cmd_len = strlen((char *)session->scpRecv_command);
+ cmd_len += shell_quotearg(path,
+ &session->scpRecv_command[cmd_len],
+ session->scpRecv_command_len - cmd_len);
- memset(&session->scpRecv_command[cmd_len], 0,
- session->scpRecv_command_len - cmd_len);
-
- (void)shell_quotearg(path,
- &session->scpRecv_command[cmd_len],
- session->scpRecv_command_len - cmd_len);
-
- session->scpRecv_command[session->scpRecv_command_len - 1] = '\0';
-
- session->scpRecv_command_len =
- strlen((char *)session->scpRecv_command);
+ session->scpRecv_command[cmd_len] = '\0';
+ session->scpRecv_command_len = cmd_len + 1;
_libssh2_debug(session, LIBSSH2_TRACE_SCP,
"Opening channel for SCP receive");
@@ -811,18 +805,12 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
"scp -%st ", (mtime || atime)?"p":"");
cmd_len = strlen((char *)session->scpSend_command);
+ cmd_len += shell_quotearg(path,
+ &session->scpSend_command[cmd_len],
+ session->scpSend_command_len - cmd_len);
- memset(&session->scpSend_command[cmd_len], 0,
- session->scpSend_command_len - cmd_len);
-
- (void)shell_quotearg(path,
- &session->scpSend_command[cmd_len],
- session->scpSend_command_len - cmd_len);
-
- session->scpSend_command[session->scpSend_command_len - 1] = '\0';
-
- session->scpSend_command_len =
- strlen((char *)session->scpSend_command);
+ session->scpSend_command[cmd_len] = '\0';
+ session->scpSend_command_len = cmd_len + 1;
_libssh2_debug(session, LIBSSH2_TRACE_SCP,
"Opening channel for SCP send");
--
2.13.5
From 9506e299fa5116aa8c4c626e6de1feaed9ff9ff8 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 11 Sep 2017 21:13:45 +0200
Subject: [PATCH 5/5] scp: do not NUL-terminate the command for remote exec
(#208)
It breaks SCP download/upload from/to certain server implementations.
The bug does not manifest with OpenSSH, which silently drops the NUL
byte (eventually with any garbage that follows the NUL byte) before
executing it.
Bug: https://bugzilla.redhat.com/1489736
Upstream-commit: 819ef4f2037490b6aa2e870aea851b6364184090
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/scp.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/scp.c b/src/scp.c
index f3d4995..c6451bc 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb)
&session->scpRecv_command[cmd_len],
session->scpRecv_command_len - cmd_len);
- session->scpRecv_command[cmd_len] = '\0';
- session->scpRecv_command_len = cmd_len + 1;
+ /* the command to exec should _not_ be NUL-terminated */
+ session->scpRecv_command_len = cmd_len;
_libssh2_debug(session, LIBSSH2_TRACE_SCP,
"Opening channel for SCP receive");
@@ -809,8 +809,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
&session->scpSend_command[cmd_len],
session->scpSend_command_len - cmd_len);
- session->scpSend_command[cmd_len] = '\0';
- session->scpSend_command_len = cmd_len + 1;
+ /* the command to exec should _not_ be NUL-terminated */
+ session->scpSend_command_len = cmd_len;
_libssh2_debug(session, LIBSSH2_TRACE_SCP,
"Opening channel for SCP send");
--
2.13.5