openssh bugs - Nov 2020 - [Bug 3229] New: ssh -o "ConnectTimeout=2147484" => Aborted (core dumped)

https://bugzilla.mindrot.org/show_bug.cgi?id=3229

            Bug ID: 3229
           Summary: ssh -o "ConnectTimeout=2147484" => Aborted
(core
                    dumped)
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: paride at debian.org

Created attachment 3453
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3453&action=edit
coredump

Running

  ssh -o "ConnectTimeout=2147484" localhost

or with any timeout >=2147484 causes an immediate crash with coredump
of ssh:

  $ ssh -o "ConnectTimeout=2147484" localhost
  Aborted (core dumped)

This is with OpenSSH_8.3p1. Core dump attached.

First reported in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1903516

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3229

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Looks like it's an integer overflow caught by -ftrapv:

$ gdb --args ./ssh -o "ConnectTimeout=2147484" localhost
[...]
(gdb) run
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50        return ret;
(gdb) bt
#0  __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7a9a895 in __GI_abort () at abort.c:79
#2  0x000055555555e70e in __mulvsi3.cold ()
#3  0x0000555555562e83 in main (ac=0, av=0x5555556492e0) at
../../ssh.c:1526
(gdb) frame 3
#3  0x0000555555562e83 in main (ac=0, av=0x5555556492e0) at
../../ssh.c:1526
1526            timeout_ms = options.connection_timeout * 1000;

timeout_ms is an int.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3229

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3217
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Fixed in
http://anongit.mindrot.org/openssh.git/commit/?id=819b44e8b9af6ce18d3ec7505b9f461bf7991a1f

Thanks for the report.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3229

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.