[Sshpass-devel] sshpass sometimes fails with errcode=5

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Dear maintainers,

We found sometimes sshpass fails to connect with error code 5.
Looking in to the code I see two things:

int handleoutput( int fd )
{
     // We are looking for the string
     static int prevmatch=0; // If the "password" prompt is repeated, we 
have the wrong password.
     static int state1, state2;
...

Later state1, state2 are used to match the output with password prompt 
but since they are not initialized, the 'match' function works 
unpredictable and returns true when it should return false.
We saw this problem with new new OpenSSH_7.6p1 at the server side when 
we using gssapikeyexchange=no, in this case ssh client also prints:
"command-line line 0: Unsupported option "gssapikeyexchange" and retcode 
= 5" and sometimes sshpass fails with 5.

Later in the code we can see why it returns 5:

     if( !prevmatch ) {
             if( args.verbose )
                 fprintf(stderr, "SSHPASS detected prompt. Sending 
password.\n");
         write_pass( fd );
         state1=0;
         prevmatch=1;
     } else {
         // Wrong password - terminate with proper error code
             if( args.verbose )
                 fprintf(stderr, "SSHPASS detected prompt, again. Wrong 
password. Terminating.\n");
         ret=RETURN_INCORRECT_PASSWORD;
     }

So, my suggestion is match function doesn't work always correctly 
because of initialized state1, state2.

There is also one more place which looks suspiciously to me:

int match( const char *reference, const char *buffer, ssize_t bufsize, 
int state )
{
     // This is a highly simplisic implementation. It's good enough for 
matching "Password: ", though.
     int i;
     for( i=0;reference[state]!='\0' && i<bufsize; ++i ) {
     if( reference[state]==buffer[i] )
         state++;
     else {
         state=0;
         if( reference[state]==buffer[i] )
         state++;
     }
     }

     return state;
}

I'm not sure about reference[state]!='\0', is there additional byte for 
'\0' in the compare1 which is passed from handleoutput to match as the 
reference?

Kind regards,
Alexey Komarov