lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-08-05 20:55:46 +03:00
Code Activity

CVE-2025-5449 tests: Reproducer for sftp handles exhaustion

Browse Source 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2025-04-22 21:32:25 +02:00
committed by Andreas Schneider
parent db7f101d1c
commit a4118ddc06
1 changed files with 51 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
tests/server/torture_sftpserver.c
View File

@@ -277,10 +277,10 @@ static int session_setup(void **state)
static int session_setup_sftp(void **state) static int session_setup_sftp(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s; struct torture_state *s = NULL;
struct torture_sftp *tsftp; struct torture_sftp *tsftp = NULL;
ssh_session session; ssh_session session = NULL;
sftp_session sftp; sftp_session sftp = NULL;
int rc; int rc;
assert_non_null(tss); assert_non_null(tss);
@@ -1081,6 +1081,50 @@ torture_server_sftp_setstat(void **state)
sftp_attributes_free(tmp_attr); sftp_attributes_free(tmp_attr);
} }
/* The max number of handles is 256 in sftpserver.h -- keep in sync! */
#define SFTP_HANDLES 256
static void torture_server_sftp_handles_exhaustion(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
struct torture_sftp *tsftp = NULL;
char name[128] = {0};
sftp_file handle, handles[SFTP_HANDLES] = {0};
sftp_session sftp = NULL;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
tsftp = s->ssh.tsftp;
assert_non_null(tsftp);
sftp = tsftp->sftp;
assert_non_null(sftp);
/* Occupy all handles */
for (int i = 0; i < SFTP_HANDLES; i++) {
snprintf(name, sizeof(name), "%s/fn%d", tsftp->testdir, i);
handles[i] = sftp_open(sftp, name, O_WRONLY | O_CREAT, 0700);
assert_non_null(handles[i]);
}
/* Next handle should fail, but not crash or OOB */
snprintf(name, sizeof(name), "%s/failfn", tsftp->testdir);
handle = sftp_open(sftp, name, O_WRONLY | O_CREAT, 0700);
assert_null(handle);
/* cleanup */
for (int i = 0; i < SFTP_HANDLES; i++) {
snprintf(name, sizeof(name), "%s/fn%d", tsftp->testdir, i);
rc = sftp_close(handles[i]);
assert_int_equal(rc, SSH_OK);
}
}
int torture_run_tests(void) { int torture_run_tests(void) {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {
@@ -1108,6 +1152,9 @@ int torture_run_tests(void) {
cmocka_unit_test_setup_teardown(torture_server_sftp_setstat, cmocka_unit_test_setup_teardown(torture_server_sftp_setstat,
session_setup_sftp, session_setup_sftp,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_server_sftp_handles_exhaustion,
session_setup_sftp,
session_teardown),
}; };
ssh_init(); ssh_init();