Hi All.
While working on something I noticed core dumps from sshd. They don't
seem to be related to what I was working on.
It's from the process forked to run the shell. Just after the fork,
fatal_remove_all_cleanups() is called, which looks like:
fatal_remove_all_cleanups(void)
{
struct fatal_cleanup *cu, *next_cu;
for (cu = fatal_cleanups; cu; cu = next_cu) {
next_cu = cu->next;
xfree(cu);
}
}
It runs through free'ing the structs, but it leaves the global
fatal_cleanups pointing to the first struct.
If called later, fatal_cleanup() attempts to deref the whatever happens
to be at that location, falls over, goes boom.
-Daz.
# gdb -q ./sshd /var/core/core.sshd.27549
[snip]
#0 0x00000000 in ?? ()
(gdb) bt
#0 0x00000000 in ?? ()
#1 0x0003ccb4 in fatal_cleanup () at ../log.c:254
#2 0x00038988 in fatal (fmt=0xf0c00 "") at ../fatal.c:39
#3 0x00023400 in do_tty_change_password (pw=0x10e690) at
../auth-passwd.c:300
#4 0x00029884 in do_login (s=0x101b4c, command=0x0) at ../session.c:764
#5 0x00029518 in do_exec_pty (s=0x101b4c, command=0x0) at
../session.c:617
#6 0x000296c0 in do_exec (s=0x101b4c, command=0x0) at ../session.c:710
#7 0x0002b1b0 in session_shell_req (s=0x101b4c) at ../session.c:1729
#8 0x0002b358 in session_input_channel_req (c=0x110cd8, rtype=0x10f750
"shell")
at ../session.c:1780
#9 0x00028790 in server_input_channel_req (type=1111888, seq=13,
ctxt=0x10d018)
at ../serverloop.c:1021
#10 0x00038930 in dispatch_run (mode=1, done=0x0, ctxt=0x10d018) at
../dispatch.c:93
#11 0x00027f5c in server_loop2 (authctxt=0xff800) at ../serverloop.c:764
#12 0x00028d18 in do_authenticated (authctxt=0x109230) at
../session.c:218
#13 0x0001d84c in main (ac=7868, av=0x6) at ../sshd.c:1536
(gdb) frame 1
#1 0x0003ccb4 in fatal_cleanup () at ../log.c:254
254 (*cu->proc) (cu->context);
(gdb) print cu
$1 = (struct fatal_cleanup *) 0x1097e0
(gdb) print *cu
$2 = {next = 0x10, proc = 0, context = 0x109840}
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: log.c
==================================================================RCS file:
/cvs/openssh/log.c,v
retrieving revision 1.26
diff -u -r1.26 log.c
--- log.c 7 Jan 2003 06:04:18 -0000 1.26
+++ log.c 10 Jan 2003 10:55:16 -0000
@@ -233,6 +233,7 @@
next_cu = cu->next;
xfree(cu);
}
+ fatal_cleanups = NULL;
}
/* Cleanup and exit */
