bugzilla-daemon at mindrot.org
2002-Mar-12 22:10 UTC
[Bug 160] Race condition in clientloop.c?
http://bugzilla.mindrot.org/show_bug.cgi?id=160 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-13 09:10 ------- Created an attachment (id=40) Debug output, lsof output, etc... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Mar-13 21:25 UTC
[Bug 160] Race condition in clientloop.c?
http://bugzilla.mindrot.org/show_bug.cgi?id=160
Nicolas.Williams at ubsw.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-14 08:25
-------
Aha!
Yes, there is a race. It's there in 2.9p2, but apparently not in 3.0.2p1.
Essentially the
"if (compat20 && session_closed &&
!channel_still_open())"
check at the top of the client loop is not close enough to the
call to select() in client_wait_until_can_do_something(). In fact,
client_wait_until_can_do_something() calls channel_prepare_select()
which calls channel_handler() which may well call chan_is_dead()
which may leave no channels open and yet
client_wait_until_can_do_something() will still go into the
select().
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Not in 3.0.2p1? What about in the version I originally posted about, 3.1?>http://bugzilla.mindrot.org/show_bug.cgi?id=160 > >Nicolas.Williams at ubsw.com changed: > > What |Removed |Added >----------------------------------------------------------------------------> Status|NEW |RESOLVED > Resolution| |FIXED > > > >------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-1408:25 ------->Aha! > >Yes, there is a race. It's there in 2.9p2, but apparently not in 3.0.2p1. > >Essentially the > >"if (compat20 && session_closed && !channel_still_open())" > >check at the top of the client loop is not close enough to the >call to select() in client_wait_until_can_do_something(). In fact, >client_wait_until_can_do_something() calls channel_prepare_select() >which calls channel_handler() which may well call chan_is_dead() >which may leave no channels open and yet >client_wait_until_can_do_something() will still go into the >select().On Tue, Mar 12, 2002 at 11:27:19AM +1300, Adrian Pronk wrote:> I've just built openssh 3.1 for my Redhat 5.1 system (running on a 486 > DX-66) using the latest zlib and openssl libraries. > > Connecting to the machine with ssh seems to work fine (although it takesa> while to initiate a connection). > > But when I transfer a file to the machine with scp, it seems to work fine > and the scp completes, but an ssh sub-process remains behind on theclient> and an sshd sub-process remains behind on the host. When I strace them, > the client is waiting on a socket and the host is waiting on three > different fd's (under 5.1, its hard to tell what they are without makingan> effort :) ). > > I did not compile the system on the target machine (which is myfirewall).> My old development machine was a RH 5.1 box. I bought a new box recently > and put RH 7.2 on it. I copied the development RH 5.1 file system on toit> (including /dev). I then chroot'ed to that directory , mounted a new/proc> and had my 5.1 development environment back. I compiled (make install) > openSSL, zlib, openSSH on this and copied the likely output files to the > target machine. I wouldn't think this development environment wouldbreak> anything. > > Does anyone know off the top of their heads what the problem might be?If> not, I'll get stuck in and have a look at the code and see if I can see > anything.-- Adrian