openssh bugs - Sep 2003 - [Bug 458] sshd crashes with "fatal: mm_malloc: size too big"

http://bugzilla.mindrot.org/show_bug.cgi?id=458

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         OS/Version|IRIX                        |All
           Platform|MIPS                        |All



------- Additional Comments From dtucker at zip.com.au  2003-09-05 14:23 -------
I had to reformat Guido's post to read it:

"Same Problem on Solaris 8
Build 32-Bit, gcc 2.95-3

It seems that line 170 in monitor_mm.c is the problem:
	if (size > SIZE_T_MAX - MM_MINSIZE + 1)
		fatal("mm_malloc: size too big");

size seems to be a different type (uint32)

in defines.h:
#ifndef SIZE_T_MAX
# define SIZE_T_MAX ULONG_MAX
#endif /* SIZE_T_MAX */
#ifndef HAVE_SIZE_T
	typedef unsigned int size_t;
# define HAVE_SIZE_T
#endif /* HAVE_SIZE_T */

the line
#define SIZE_T_MAX ULONG_MAX  should be changed,
I tried
# define SIZE_T_MAX ((2 << (8 * sizeof(size_t)) - 1)
but got an error (also out of bounds :-(

The definition of SIZE_T_MAX has to be changed to be in the range of the type of
size
>From the build log:
gcc -O3 -pipe -mcpu=ultrasparc -m32 -I. -I. -I/usr/local/include
-I/usr/local/include -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_      
SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/us
      r/local/lib/ssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh/ssh-keysign\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DSSH_RAND_HELPER=\"/usr/local/lib/ssh/ssh-rand-helper\"
-DHAVE_CONFIG_H -c
monitor_mm.c
monitor_mm.c: In function `mm_malloc': monitor_mm.c:170:
warning: integer overflow in expression monitor_mm.c:170: warning: comparison
is always true due to limited range of data type"



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=458





------- Additional Comments From dtucker at zip.com.au  2003-09-05 14:30 -------
Created an attachment (id=380)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=380&action=view)
Set SIZE_T_MAX to UINT_MAX  if we we define size_t ourselves.

defines.h is obviously wrong for the case where neither SIZE_T_MAX or size_t
are defined; size_t ends up as unsigned int, while SIZE_T_MAX ends up as ULONG
max.

That works if sizeof(unsigned int) == sizeof(unsigned long).

Any objections to this patch?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=458

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |627
              nThis|                            |
             Status|NEW                         |ASSIGNED



------- Additional Comments From dtucker at zip.com.au  2003-09-05 14:38 -------
BTW, the "U" means the constant should be evaluated as an unsigned.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=458

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #380 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2003-09-05 14:41 -------
Created an attachment (id=381)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=381&action=view)
Set SIZE_T_MAX to UINT_MAX if we we define size_t ourselves.

Sorry, mixed patch.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.