Bug 43221 - openssh 2.9.1p1-3gss crashes repeatedly
Summary: openssh 2.9.1p1-3gss crashes repeatedly
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: openssh (Show other bugs)
(Show other bugs)
Version: 1.0
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-06-01 22:29 UTC by Jonathan Kamens
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-08-02 16:12:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix memory overrun in clientloop.c (366 bytes, patch)
2001-07-12 02:05 UTC, Jonathan Kamens
no flags Details | Diff
Another memory overrun fix (1.43 KB, patch)
2001-07-12 12:31 UTC, Jonathan Kamens
no flags Details | Diff

Description Jonathan Kamens 2001-06-01 22:29:04 UTC
The ssh client in openssh 2.9.1p1-3gss crashes repeatedly when connecting
to "Remote protocol version 1.99, remote software version OpenSSH_2.9p1"
(openssh-server-2.9p1-1 package).  Downgrading to openssh-2.9p1-2 appears
to make the problem go away (if it recurs, I'll let you know).

The crashes may be related to window resizes, although I'm not certain
about that.  Either that, or they're related to when a large burst of data
comes all at once.

Comment 1 Jonathan Kamens 2001-07-12 02:04:55 UTC
I found the problem. There's code in clientloop.c that's zeroing out an fd_set
structure using memset and assuming that the fd_set has one byte per file
descriptor rather than one *bit* per file descriptor.  In fact, it should just
use FD_ZERO to zero out the fd_set.  I will attach a patch (which you will of
course forward back to the maintainers of openssh :-).


Comment 2 Jonathan Kamens 2001-07-12 02:05:37 UTC
Created attachment 23349 [details]
Fix memory overrun in clientloop.c

Comment 3 Jonathan Kamens 2001-07-12 12:31:21 UTC
The path I submitted last night was wrong.  How was I to know that the things
openssh calls "fd_set"s aren't really "fd_set"s, but are actually instead arrays
of dynamic length? :-)

I'll attach a new patch.


Comment 4 Jonathan Kamens 2001-07-12 12:31:54 UTC
Created attachment 23388 [details]
Another memory overrun fix

Comment 5 Pekka Savola 2001-08-02 13:57:17 UTC
I bet this is a bug introduced by gss patches.

Comment 6 Jonathan Kamens 2001-08-02 14:06:35 UTC
The code I patched is clearly buggy, and my patch applies cleanly even
without the GSS-API patch applied first.

I explained specifically what the bug is, and if you read my
explanation and patch, it is clear that the code is wrong and needs to
be fixed.

I'm *sure* that if I used a version of SSH without the GSS-API patch
and without my fix to this bug, SSH would continue to crash on me.

Since I built a new version of ssh with my patch, it hasn't crashed on
me once, even though I've been running it the entire time with
ElectricFence.

Comment 7 Pekka Savola 2001-08-02 15:24:06 UTC
Uhh, sorry for my uneducated guess.  :-)  One just has to wonder why this hasn't been happening ever to anyone else.
gss patches, in one way or another, could have been a common term...

I can post the patch upstream, see what they think..

Comment 8 Jonathan Kamens 2001-08-02 16:12:18 UTC
I suspect that other people *have* run into this; they probably just chalked it
up to flakies and restarted ssh, as I did for a long time before I finally
decided to track down the problem.

It's also possible that the version of ssh in which this bug was introduced is
not yet widely deployed.

It's also possible that the particular usage paradigm which tickles the bug is
not all that common.  I frequently do port forwarding, X forwarding, agent
forwarding, etc.  I suspect you need to be using a good number of file
descriptors before this bug kicks in.


Comment 9 Nalin Dahyabhai 2001-09-06 12:53:40 UTC
The patch looks right to me (the old behavior cleared one byte for each FD, when
 the fd_set being packed requires clearing one bit); it will be integrated into
2.9p2-7 and later.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.