Skip Menu |
 

Subject: fake_getaddrinfo on address that doesn't reverse resolve causes crash
Download (untitled) / with headers
text/plain 1.5KiB
I tried to ssh to a machine whose name doesn't reverse resolve (meeroh.org) and ssh
crashed. The last ssh log messages are:

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693
debug3: Trying to reverse map address 204.188.130.39.
Bus error

The crash logs says we are to blame.

Host Name: elmekia-flame.mit.edu
Date/Time: 2004-08-09 11:46:40 -0400
OS Version: 10.3.4 (Build 7H63)
Report Version: 2

Command: ssh
Path: /usr/bin/ssh
Version: ??? (???)
PID: 27202
Thread: 0

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0 libSystem.B.dylib 0x90006e40 strlen + 0x20
1 libSystem.B.dylib 0x9000cf58 strdup + 0x18
2 edu.mit.Kerberos 0x200a2784 fai_add_hosts_by_name + 0x234
3 edu.mit.Kerberos 0x200a23d0 fake_getaddrinfo + 0x1b4
4 edu.mit.Kerberos 0x200a1f54 krb5_sname_to_principal + 0xbc
5 edu.mit.Kerberos 0x20076148 krb5_gss_import_name + 0x114
6 ssh 0x000259d0 0x1000 + 0x249d0
7 ssh 0x00025bac 0x1000 + 0x24bac
8 ssh 0x00025150 0x1000 + 0x24150
9 ssh 0x0000ee80 0x1000 + 0xde80
10 ssh 0x0000d37c 0x1000 + 0xc37c
11 ssh 0x00006ee8 0x1000 + 0x5ee8
12 ssh 0x000058e0 0x1000 + 0x48e0
13 ssh 0x00005754 0x1000 + 0x4754


This is the krb5 trunk (fake-addrinfo.h revision 1.49) and Panther (10.3.4).
Assigned to Ken because I think he worked on the fake getaddrinfo stuff last.
Cc: krb5-prs@mit.edu
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #2661] fake_getaddrinfo on address that doesn't reverse resolve causes crash
Date: Mon, 9 Aug 2004 15:07:16 -0400
To: rt-comment@krbdev.mit.edu
RT-Send-Cc:
On Aug 9, 2004, at 13:50, Alexandra Ellwood via RT wrote:
Show quoted text
> I tried to ssh to a machine whose name doesn't reverse resolve
> (meeroh.org) and ssh
> crashed. The last ssh log messages are:
>
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693
> debug3: Trying to reverse map address 204.188.130.39.
> Bus error
>
> The crash logs says we are to blame.
>
> Host Name: elmekia-flame.mit.edu
> Date/Time: 2004-08-09 11:46:40 -0400
> OS Version: 10.3.4 (Build 7H63)
> Report Version: 2
>
> Command: ssh
> Path: /usr/bin/ssh
> Version: ??? (???)
> PID: 27202
> Thread: 0
>
> Exception: EXC_BAD_ACCESS (0x0001)
> Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
>
> Thread 0 Crashed:
> 0 libSystem.B.dylib 0x90006e40 strlen + 0x20
> 1 libSystem.B.dylib 0x9000cf58 strdup + 0x18
> 2 edu.mit.Kerberos 0x200a2784 fai_add_hosts_by_name + 0x234
> 3 edu.mit.Kerberos 0x200a23d0 fake_getaddrinfo + 0x1b4
> 4 edu.mit.Kerberos 0x200a1f54 krb5_sname_to_principal + 0xbc
> 5 edu.mit.Kerberos 0x20076148 krb5_gss_import_name + 0x114

Show quoted text
> This is the krb5 trunk (fake-addrinfo.h revision 1.49) and Panther
> (10.3.4).
> Assigned to Ken because I think he worked on the fake getaddrinfo
> stuff last.

Yep, probably so.

I see two calls to strdup in that code. I'd guess that the two most
likely failure cases are (1) getaddrinfo with the AI_CANONNAME flag set
returns a NULL ai_canonname field, which may be violating the spec, if
only I had some clue what spec Apple is actually trying to adhere to
(getaddrinfo man page, anyone?), or (2) allocation fails in one strdup
call, and the return value isn't checked, so the second call site may
get a NULL pointer. (Actually, function inline expansion could add one
more, but it should only call strdup(NULL) if a NULL hostname is passed
in.) I can add checks for these.

However, "ssh meeroh.org -vvv" doesn't crash for me, at least before
the point of asking me to check the fingerprint of the key, using
/usr/bin/ssh on Panther.

Ken
Sorry, I should have been more clear. It works fine on Panther with krb5-1.3.x. It only fails if
you're using the 1.4 sources (ie: what's on the trunk now) which you wouldn't be unless you
were me... So I would expect stock Panther ssh to succeed.
Cc: Ken Raeburn <raeburn@mit.edu>, krb5-prs@mit.edu
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #2661] fake_getaddrinfo on address that doesn't reverse resolve causes crash
Date: Mon, 9 Aug 2004 17:15:21 -0400
To: rt-comment@krbdev.mit.edu
RT-Send-Cc:
We tracked it down, the problem is (1) Apple's getaddrinfo(dotted-quad,
hints.flags=AI_CANONNAME) returns ai_canonname=NULL, (2) my getaddrinfo
caching code expects ai_canonname to be non-null always, because it
always sets AI_CANONNAME.

(2) is easier to fix....
I believe version 1.50 of include/fake-addrinfo.h fixed this problem.
This was before the 1.4 branch point.