libssh2_session_method_pref() to throw error for bad method names

Thu Feb 27 20:10:07 CET 2025

Hello Team,

We are upgrading from Libssh2 1.10 to 1.11.1. We found that calling kex.c: libssh2_session_method_pref() with bad method names did not throw an error.

It looks like key extension indicators were added with the new update, but the error handling for LIBSSH2_ERROR_METHOD_NOT_SUPPORTED continues to check for empty string.  https://github.com/libssh2/libssh2/commit/00e2a07e824db8798d94809156e9fb4e70a42f89

What do folks think about this update in error handling?

In https://github.com/libssh2/libssh2/blob/master/src/kex.c: 4310
-    if(!*newprefs) {
+    // ignore trailing comma in kex_extensions when comparing
+    if((strlen(newprefs) == (kex_extensions_len-1)) &&
+            (strncmp(newprefs, kex_extensions, (kex_extensions_len-1)) == 0)) {
         LIBSSH2_FREE(session, newprefs);
         return _libssh2_error(session, LIBSSH2_ERROR_METHOD_NOT_SUPPORTED,
                               "The requested method(s) are not currently "
                               "supported");
     }

Thanks,
Amy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.haxx.se/pipermail/libssh2-devel/attachments/20250227/a663d772/attachment.htm>