From owner-freebsd-ports Tue Jan 21 09:32:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA01315 for ports-outgoing; Tue, 21 Jan 1997 09:32:45 -0800 (PST) Received: from labs.usn.blaze.net.au (labs.usn.blaze.net.au [203.17.53.30]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id JAA01296; Tue, 21 Jan 1997 09:32:30 -0800 (PST) Received: (from davidn@localhost) by labs.usn.blaze.net.au (8.8.4/8.8.4) id EAA02388; Wed, 22 Jan 1997 04:31:58 +1100 (EST) Message-ID: Date: Wed, 22 Jan 1997 04:31:58 +1100 From: davidn@unique.usn.blaze.net.au (David Nugent) To: ssh-bugs@cs.hut.fi Cc: torstenb@freebsd.org, freebsd-ports@freebsd.org Subject: Bug in sshd 2.1.17 X-Mailer: Mutt 0.56 Mime-Version: 1.0 Sender: owner-ports@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There is a bug present in sshd from the ssh 2.1.17 package in which under some circumstances will cause a pointer to be freed twice. The bug appears to be triggered as a result of calling auth_delete_socket() twice after a disconnect where (X?) authentication forwarding is in effect. The environment running here is FreeBSD, -current (3.0) version. This problem becomes obvious when configuring the system malloc(3) to fill freed memory with junk on free(), and if abort() on such an error is enabled, sshd will loop in the SIGABRT handler, using as much cpu and memory as is available to it. The simplest way of avoiding the problem is to set two variables to NULL after being freed. Apply the following patch as a fix: *** newchannels.c.orig Wed Jan 22 04:22:57 1997 --- newchannels.c Wed Jan 22 04:12:48 1997 *************** *** 1789,1799 **** --- 1789,1801 ---- { remove(channel_forwarded_auth_socket_name); xfree(channel_forwarded_auth_socket_name); + channel_forwarded_auth_socket_name = NULL; } if (channel_forwarded_auth_socket_dir_name) { rmdir(channel_forwarded_auth_socket_dir_name); xfree(channel_forwarded_auth_socket_dir_name); + channel_forwarded_auth_socket_dir_name = NULL; } } Regards, David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/