Bug 43221 - openssh 2.9.1p1-3gss crashes repeatedly
openssh 2.9.1p1-3gss crashes repeatedly
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: openssh (Show other bugs)
1.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-01 18:29 EDT by Jonathan Kamens
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-08-02 12:12:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix memory overrun in clientloop.c (366 bytes, patch)
2001-07-11 22:05 EDT, Jonathan Kamens
no flags Details | Diff
Another memory overrun fix (1.43 KB, patch)
2001-07-12 08:31 EDT, Jonathan Kamens
no flags Details | Diff

  None (edit)
Description Jonathan Kamens 2001-06-01 18:29:04 EDT
The ssh client in openssh 2.9.1p1-3gss crashes repeatedly when connecting
to "Remote protocol version 1.99, remote software version OpenSSH_2.9p1"
(openssh-server-2.9p1-1 package).  Downgrading to openssh-2.9p1-2 appears
to make the problem go away (if it recurs, I'll let you know).

The crashes may be related to window resizes, although I'm not certain
about that.  Either that, or they're related to when a large burst of data
comes all at once.
Comment 1 Jonathan Kamens 2001-07-11 22:04:55 EDT
I found the problem. There's code in clientloop.c that's zeroing out an fd_set
structure using memset and assuming that the fd_set has one byte per file
descriptor rather than one *bit* per file descriptor.  In fact, it should just
use FD_ZERO to zero out the fd_set.  I will attach a patch (which you will of
course forward back to the maintainers of openssh :-).
Comment 2 Jonathan Kamens 2001-07-11 22:05:37 EDT
Created attachment 23349 [details]
Fix memory overrun in clientloop.c
Comment 3 Jonathan Kamens 2001-07-12 08:31:21 EDT
The path I submitted last night was wrong.  How was I to know that the things
openssh calls "fd_set"s aren't really "fd_set"s, but are actually instead arrays
of dynamic length? :-)

I'll attach a new patch.
Comment 4 Jonathan Kamens 2001-07-12 08:31:54 EDT
Created attachment 23388 [details]
Another memory overrun fix
Comment 5 Pekka Savola 2001-08-02 09:57:17 EDT
I bet this is a bug introduced by gss patches.
Comment 6 Jonathan Kamens 2001-08-02 10:06:35 EDT
The code I patched is clearly buggy, and my patch applies cleanly even
without the GSS-API patch applied first.

I explained specifically what the bug is, and if you read my
explanation and patch, it is clear that the code is wrong and needs to
be fixed.

I'm *sure* that if I used a version of SSH without the GSS-API patch
and without my fix to this bug, SSH would continue to crash on me.

Since I built a new version of ssh with my patch, it hasn't crashed on
me once, even though I've been running it the entire time with
ElectricFence.
Comment 7 Pekka Savola 2001-08-02 11:24:06 EDT
Uhh, sorry for my uneducated guess.  :-)  One just has to wonder why this hasn't been happening ever to anyone else.
gss patches, in one way or another, could have been a common term...

I can post the patch upstream, see what they think..
Comment 8 Jonathan Kamens 2001-08-02 12:12:18 EDT
I suspect that other people *have* run into this; they probably just chalked it
up to flakies and restarted ssh, as I did for a long time before I finally
decided to track down the problem.

It's also possible that the version of ssh in which this bug was introduced is
not yet widely deployed.

It's also possible that the particular usage paradigm which tickles the bug is
not all that common.  I frequently do port forwarding, X forwarding, agent
forwarding, etc.  I suspect you need to be using a good number of file
descriptors before this bug kicks in.
Comment 9 Nalin Dahyabhai 2001-09-06 08:53:40 EDT
The patch looks right to me (the old behavior cleared one byte for each FD, when
 the fd_set being packed requires clearing one bit); it will be integrated into
2.9p2-7 and later.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.