On May 23, 2022, at 12:46 AM, Jakub Jelen <jjelen@xxxxxxxxxx> wrote:
> I believe the problem here is that the call to sshpkt_getb_froms() is returning an sshbuf in server_host_key_blob which is a reference to the string being consumed from the packet being read, setting that original packet as its parent. As a result, the “ssh” buffer now has a refcount of 2, and when it returns to the top of the do {...} while and tries to read another packet into “ssh”, it gets the error about the sshbuf being “read-only” (for good reason).
>
> We track the gsskex patches in the following github repository:
>
> https://github.com/openssh-gsskex/openssh-gsskex/
>
> I did not read into details about that, but believe I already saw this issue and we were fixing it:
>
> https://github.com/openssh-gsskex/openssh-gsskex/pull/19
>
> Unfortunately, the repository is not completely up to date, but both Colin and Dmitry should be able to help you around here.
Thanks, Jakub! I did find that Github page, but went looking for the 9.0p1 Debian patch because it seemed more up to date than the Git repo. As you mentioned, it seems like that Git repo is based on something like 8.3p1, though there is an outstanding rebase to 8.8p1 which would get it closer.
The pull request you mention here is also still waiting to be integrated. I appreciate the pointer to that, though — it suggests a possible approach to handling the memory management using sshpkt_get_string() and sshbuf_from(). I’ll give it a try!
I appreciate the help...
--
Ron Frederick
ronf@xxxxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
