Date: Wed, 22 Jan 1997 04:31:58 +1100 From: davidn@unique.usn.blaze.net.au (David Nugent) To: ssh-bugs@cs.hut.fi Cc: torstenb@freebsd.org, freebsd-ports@freebsd.org Subject: Bug in sshd 2.1.17 Message-ID: <Mutt.19970122043158.davidn@labs.blaze.net.au>
next in thread | raw e-mail | index | archive | help
There is a bug present in sshd from the ssh 2.1.17 package in
which under some circumstances will cause a pointer to be
freed twice. The bug appears to be triggered as a result of
calling auth_delete_socket() twice after a disconnect where
(X?) authentication forwarding is in effect.
The environment running here is FreeBSD, -current (3.0) version.
This problem becomes obvious when configuring the system
malloc(3) to fill freed memory with junk on free(), and if
abort() on such an error is enabled, sshd will loop in the
SIGABRT handler, using as much cpu and memory as is available
to it.
The simplest way of avoiding the problem is to set two variables
to NULL after being freed. Apply the following patch as a fix:
*** newchannels.c.orig Wed Jan 22 04:22:57 1997
--- newchannels.c Wed Jan 22 04:12:48 1997
***************
*** 1789,1799 ****
--- 1789,1801 ----
{
remove(channel_forwarded_auth_socket_name);
xfree(channel_forwarded_auth_socket_name);
+ channel_forwarded_auth_socket_name = NULL;
}
if (channel_forwarded_auth_socket_dir_name)
{
rmdir(channel_forwarded_auth_socket_dir_name);
xfree(channel_forwarded_auth_socket_dir_name);
+ channel_forwarded_auth_socket_dir_name = NULL;
}
}
Regards,
David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet
davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19970122043158.davidn>