From owner-freebsd-bugs Sun Jun 3 13:40: 6 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3629A37B405 for ; Sun, 3 Jun 2001 13:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f53Ke1V61084; Sun, 3 Jun 2001 13:40:01 -0700 (PDT) (envelope-from gnats) Received: from mgate08.so-net.ne.jp (mgate08.so-net.ne.jp [210.139.254.155]) by hub.freebsd.org (Postfix) with ESMTP id 9B6FB37B401 for ; Sun, 3 Jun 2001 13:31:04 -0700 (PDT) (envelope-from ipfw@ya3.so-net.ne.jp) Received: from mail.ya3.so-net.ne.jp (mspool11.so-net.ne.jp [210.139.248.11]) by mgate08.so-net.ne.jp (8.8.8+3.0Wbeta9/3.6W01050922) with ESMTP id FAA10702 for ; Mon, 4 Jun 2001 05:31:03 +0900 (JST) Received: from localhost (pd5ce02.kngwnt01.ap.so-net.ne.jp [202.213.206.2]) by mail.ya3.so-net.ne.jp with ESMTP id f53KV2114806 for ; Mon, 4 Jun 2001 05:31:02 +0900 (JST) Message-Id: <20010604053053T.koya@pluto.math.yokohama-cu.ac.jp> Date: Mon, 04 Jun 2001 05:30:53 +0900 From: Yoshihiro Koya To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/27860: sshd caught signal 10 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 27860 >Category: bin >Synopsis: sshd dumps core >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jun 03 13:40:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Yoshihiro Koya >Release: FreeBSD 5.0-CURRENT i386 >Organization: Dept. of Math. Sci., Yokohama City Univ. >Environment: System: FreeBSD current.my.domain 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed May 30 00:38:02 JST 2001 root@current.my.domain:/usr/obj/usr/src/sys/current i386 OpenSSH_2.9 green@FreeBSD.org 20010503, SSH protocols 1.5/2.0, OpenSSL 0x0090601f >Description: Too long user name causes sshd to dump core. I tried to make patch. But, I couldn't do it. The following is the output from the gdb. current# ls .cshrc cdrom etc root tmp .profile compat home sbin usr COPYRIGHT dev lost+found sshd.core var bin dist mnt stand boot entropy proc sys current# gdb /usr/sbin/sshd sshd.core GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (no debugging symbols found)... Core was generated by `sshd'. Program terminated with signal 10, Bus error. Reading symbols from /usr/lib/libopie.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)... done. Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)...done. Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libc.so.5...(no debugging symbols found)...done. Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...done. #0 0x28225f32 in __log2 () from /usr/lib/libc.so.5 (gdb) where #0 0x28225f32 in __log2 () from /usr/lib/libc.so.5 #1 0x28223d1c in __call_hash () from /usr/lib/libc.so.5 #2 0x28223623 in __hash_open () from /usr/lib/libc.so.5 #3 0x282234be in __hash_open () from /usr/lib/libc.so.5 #4 0x281ec203 in endpwent () from /usr/lib/libc.so.5 #5 0x281eb21a in netname2host () from /usr/lib/libc.so.5 #6 0x281ebbdc in netname2host () from /usr/lib/libc.so.5 #7 0x28213f95 in nsdispatch () from /usr/lib/libc.so.5 #8 0x281ebf45 in getpwnam () from /usr/lib/libc.so.5 #9 0x80537b5 in getsockname () #10 0x805e74f in getsockname () #11 0x80535a2 in getsockname () #12 0x804dc23 in getsockname () #13 0x804c0f9 in getsockname () >How-To-Repeat: Type % slogin localhost -l xxxx<10000 times x's>xxx For example, use the following small program /* genx.c */ #include int main(int argc, char *argv[]) { int i; for (i = 0; i < 10000; i++) putchar('x'); return 0; } and type % slogin localhost -l `./genx` Then, you may get something like as follows: Jun 4 04:54:43 current /boot/kernel/kernel: pid 2479 (sshd), uid 0: exited on signal 10 (core dumped) >Fix: Unfortunately I don't have much enough time to find what casues this, and also don't have good idea to fix it. But the above __log2 function may be found in /usr/src/lib/libc/db/hash/hash_log2.c. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message