RT RT/krbdev.mit.edu: Ticket #2661 fake_getaddrinfo on address that doesn't reverse resolve causes crash Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
2661
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Tags
Version_reported
  • 1.4
Version_Fixed
  • 1.4
Target_Version
  • 1.4
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Aug 9 13:50:35 2004
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Fri Dec 17 19:16:06 2004 by tlyu
 

 People  
Owner
 raeburn
Requestors
 lxs@mit.edu
Cc
 
AdminCc
 
 

 More about Alexandra Ellwood  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Aug  9 13:50:36 2004  lxs - Ticket created    
     
Subject: fake_getaddrinfo on address that doesn't reverse resolve causes crash

I tried to ssh to a machine whose name doesn't reverse resolve (meeroh.org) and ssh
crashed.  The last ssh log messages are:

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693
debug3: Trying to reverse map address 204.188.130.39.
Bus error

The crash logs says we are to blame.

Host Name:      elmekia-flame.mit.edu
Date/Time:      2004-08-09 11:46:40 -0400
OS Version:     10.3.4 (Build 7H63)
Report Version: 2

Command: ssh
Path:    /usr/bin/ssh
Version: ??? (???)
PID:     27202
Thread:  0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   libSystem.B.dylib 	0x90006e40 strlen + 0x20
1   libSystem.B.dylib 	0x9000cf58 strdup + 0x18
2   edu.mit.Kerberos  	0x200a2784 fai_add_hosts_by_name + 0x234
3   edu.mit.Kerberos  	0x200a23d0 fake_getaddrinfo + 0x1b4
4   edu.mit.Kerberos  	0x200a1f54 krb5_sname_to_principal + 0xbc
5   edu.mit.Kerberos  	0x20076148 krb5_gss_import_name + 0x114
6   ssh               	0x000259d0 0x1000 + 0x249d0
7   ssh               	0x00025bac 0x1000 + 0x24bac
8   ssh               	0x00025150 0x1000 + 0x24150
9   ssh               	0x0000ee80 0x1000 + 0xde80
10  ssh               	0x0000d37c 0x1000 + 0xc37c
11  ssh               	0x00006ee8 0x1000 + 0x5ee8
12  ssh               	0x000058e0 0x1000 + 0x48e0
13  ssh               	0x00005754 0x1000 + 0x4754


This is the krb5 trunk (fake-addrinfo.h revision 1.49) and Panther (10.3.4).
Assigned to Ken because I think he worked on the fake getaddrinfo stuff last.


Download (untitled) 1.5k
      Mon Aug  9 15:07:19 2004  raeburn - Comments added    
     
Cc: krb5-prs@mit.edu
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #2661] fake_getaddrinfo on address that doesn't reverse resolve causes crash 
Date: Mon, 9 Aug 2004 15:07:16 -0400
To: rt-comment@krbdev.mit.edu
RT-Send-Cc: 

On Aug 9, 2004, at 13:50, Alexandra Ellwood via RT wrote:
> I tried to ssh to a machine whose name doesn't reverse resolve
> (meeroh.org) and ssh
> crashed.  The last ssh log messages are:
>
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693
> debug3: Trying to reverse map address 204.188.130.39.
> Bus error
>
> The crash logs says we are to blame.
>
> Host Name:      elmekia-flame.mit.edu
> Date/Time:      2004-08-09 11:46:40 -0400
> OS Version:     10.3.4 (Build 7H63)
> Report Version: 2
>
> Command: ssh
> Path:    /usr/bin/ssh
> Version: ??? (???)
> PID:     27202
> Thread:  0
>
> Exception:  EXC_BAD_ACCESS (0x0001)
> Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
>
> Thread 0 Crashed:
> 0   libSystem.B.dylib 	0x90006e40 strlen + 0x20
> 1   libSystem.B.dylib 	0x9000cf58 strdup + 0x18
> 2   edu.mit.Kerberos  	0x200a2784 fai_add_hosts_by_name + 0x234
> 3   edu.mit.Kerberos  	0x200a23d0 fake_getaddrinfo + 0x1b4
> 4   edu.mit.Kerberos  	0x200a1f54 krb5_sname_to_principal + 0xbc
> 5   edu.mit.Kerberos  	0x20076148 krb5_gss_import_name + 0x114

> This is the krb5 trunk (fake-addrinfo.h revision 1.49) and Panther
> (10.3.4).
> Assigned to Ken because I think he worked on the fake getaddrinfo
> stuff last.

Yep, probably so.

I see two calls to strdup in that code.  I'd guess that the two most
likely failure cases are (1) getaddrinfo with the AI_CANONNAME flag set
returns a NULL ai_canonname field, which may be violating the spec, if
only I had some clue what spec Apple is actually trying to adhere to
(getaddrinfo man page, anyone?), or (2) allocation fails in one strdup
call, and the return value isn't checked, so the second call site may
get a NULL pointer.  (Actually, function inline expansion could add one
more, but it should only call strdup(NULL) if a NULL hostname is passed
in.)  I can add checks for these.

However, "ssh meeroh.org -vvv" doesn't crash for me, at least before
the point of asking me to check the fingerprint of the key, using
/usr/bin/ssh on Panther.

Ken



Download (untitled) 2k
      Mon Aug  9 15:21:57 2004  lxs - Comments added    
     
Sorry, I should have been more clear.  It works fine on Panther with krb5-1.3.x.  It
only fails if
you're using the 1.4 sources (ie: what's on the trunk now) which you wouldn't be
unless you
were me...  So I would expect stock Panther ssh to succeed.


Download (untitled) 252b
      Mon Aug  9 17:15:42 2004  raeburn - Comments added    
     
Cc: Ken Raeburn <raeburn@mit.edu>, krb5-prs@mit.edu
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #2661] fake_getaddrinfo on address that doesn't reverse resolve causes crash 
Date: Mon, 9 Aug 2004 17:15:21 -0400
To: rt-comment@krbdev.mit.edu
RT-Send-Cc: 

We tracked it down, the problem is (1) Apple's getaddrinfo(dotted-quad,
hints.flags=AI_CANONNAME) returns ai_canonname=NULL, (2) my getaddrinfo
caching code expects ai_canonname to be non-null always, because it
always sets AI_CANONNAME.

(2) is easier to fix....



Download (untitled) 268b
      Tue Dec  7 23:48:14 2004  raeburn - Status changed from open to resolved    
      Tue Dec  7 23:48:15 2004  raeburn - Comments added    
     
I believe version 1.50 of include/fake-addrinfo.h fixed this problem.
This was before the 1.4 branch point.


Download (untitled) 107b
      Fri Dec 17 19:16:06 2004  tlyu - Version_Fixed 1.4 added