From: Tyler Hall <tylerwhall@gmail.com>
Date: Mon, 14 Oct 2013 20:24:17 +0000 (+0200)
Subject: ssh: Handle successful SSH_USERAUTH_NONE
X-Git-Tag: curl-7_34_0~236
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0218a737fe7b8f47d07d815e4b75648078ddc5d2;p=thirdparty%2Fcurl.git

ssh: Handle successful SSH_USERAUTH_NONE

According to the documentation for libssh2_userauth_list(), a NULL
return value is not necessarily an error. You must call
libssh2_userauth_authenticated() to determine if the SSH_USERAUTH_NONE
request was successful.

This fixes a segv when using sftp on a server that allows logins with an
empty password. When NULL was interpreted as an error, it would
free the session but not flag an error since the libssh2 errno would be
clear. This resulted in dereferencing a NULL session pointer.

Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
---

diff --git a/lib/ssh.c b/lib/ssh.c
index c213225db4..79f58bbf3c 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -754,7 +754,13 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
                                              curlx_uztoui(strlen(conn->user)));
 
       if(!sshc->authlist) {
-        if((err = libssh2_session_last_errno(sshc->ssh_session)) ==
+        if(libssh2_userauth_authenticated(sshc->ssh_session)) {
+          sshc->authed = TRUE;
+          infof(data, "SSH user accepted with no authentication\n");
+          state(conn, SSH_AUTH_DONE);
+          break;
+        }
+        else if((err = libssh2_session_last_errno(sshc->ssh_session)) ==
            LIBSSH2_ERROR_EAGAIN) {
           rc = LIBSSH2_ERROR_EAGAIN;
           break;