We patched libssh2.c ourselves with those changes to check for NULL pointer:

In kbd_callback function:

static void
kbd_callback(const char *name, int name_len, const char *instruction,
             int instruction_len, int num_prompts,
             const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,
             LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses,
             void **abstract)

if(num_prompts == 1) { responses[0].text = conn->passwd ? strdup(conn->passwd) : NULL; responses[0].length = conn->passwd ? curlx_uztoui(strlen(conn->passwd)) : 0; }

So we added check with ? For whether variable is NULL.

And later in ssh_statemach_act:

static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)

We also got NULL checks before passing values:

      rc = libssh2_userauth_password_ex(sshc->ssh_session, 
                                        conn->user ? conn->user : "",
                                        conn->user ? curlx_uztoui(strlen(conn->user)) : 0,
                                        conn->passwd ? conn->passwd: "",
                                        conn->passwd ? curlx_uztoui(strlen(conn->passwd)) : 0,
                                        NULL);

In may be better to earlier check this once and set to empty string if it is NULL.

Could someone confirm the problem and maybe include the changes for future releases?

Note there are several other places in libcurl's libssh2.c where it assumes conn->user is not NULL and does strlen(conn->user). libssh2 code in libssh2_userauth_password_ex passes around username and password parameters to functions that check for NULL, though I notice the documentation doesn't explicitly state they may be NULL.

For the keyboard callback it looks like we are assuming not NULL as well for conn->passwd. The LIBSSH2_USERAUTH_KBDINT_RESPONSE is not documented, though it is used in a number of examples. I'm not sure of the right behavior, and none of the examples I saw set response to NULL.

/cc @willco007

I got the crashes here by using just an sftp:// URL and did not specify username and password.
Seems like the default value for username and password is NULL.

Yup it's a problem but I don't whether it's right to pass them as an empty string or NULL, that's why I cc'd one of the libssh2 developers.

I'm not super familiar with this code, but in a quick audit of the libssh2 code, it looks safe to pass NULL for user/password.

Thanks. @MonkeybreadSoftware do you want to submit a PR?

I am trying here:

#6694

Although I would like to know if someone has an idea what changed within the last release or two, which could break this.

#6694

That uses empty strings instead of NULL, but as Will noted you can pass NULL. Basically all the strlen(conn->user) or strlen(conn->passwd) need to be checked before passing to strlen and I think that's it, unless you are getting a null deref inside libssh2.

Although I would like to know if someone has an idea what changed within the last release or two, which could break this.

I don't know that anything did. You could do a bisect to find that out.

Without checking, I suspect I might've caused this with 46620b9... ?

Well, used there be a place which ensured ->user and ->passwd where always non NULL?
if such a line existed it may have been removed in recent changes.

I think it is better to have local code deal with that, to properly allow separation between no user name and a blank user name.