openssh unix dev - Feb 2000 - Bugreport: OpenSSH-1.2.2 Server for Linux (glibc 2.1.2)

Hi,

I would like to report a bug in OpenSSH-1.2.2 (release) under Linux.

Under certain conditions the sshd client process segfaults while doing
the password authentification. I have observed the behaviour with
glibc 2.0.7 (non-PAM), glibc 2.1.1 (PAM) and glibc 2.1.2 (PAM), when
'RhostsRSAAuthentication yes' is chosen in sshd_config. It appears to
happen regardless whether PAM is used or not (but under slightly
different conditions). With glibc 2.0.7/2.1.1 it happens at the first
password authentication attempt, while with glibc 2.1.2 things are a
bit more complicated:

With PAM enabled the segfault happens at the second or third password
authentication attempt regardless whether this attempt would have
succeeded (i.e. when I entered the right password) or not. With PAM
disabled (--without-pam) I was only able to observe it at an password
authentication attempt > 1 when this attempt would have succeeded.

Here is a debugger session on a glibc 2.1.2 (SuSE 6.3) system, where
sshd was compiled with PAM enabled, the sshd_config file was the
example file from opensshd-1.2.2.tar.gz where

RhostsRSAAuthentication yes 

has been set:

(gdb) run
Starting program: /home/bernd/download/openssh-1.2.2/sshd -d -f sshd_config
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 890
debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
debug: Sent 768 bit public key and 1023 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "bernd"
debug: Attempting authentication for bernd.
debug: Trying rhosts with RSA host authentication for bernd
Failed rhosts-rsa for bernd from 127.0.0.1 port 890 ruser bernd
debug: PAM Password authentication for "bernd" failed: Authentication
failure
Failed password for bernd from 127.0.0.1 port 890

Program received signal SIGSEGV, Segmentation fault.
0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707
2707    malloc.c: No such file or directory.
(gdb) where
#0  0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707
#1  0x400b0e14 in __libc_malloc (bytes=8) at malloc.c:2651
#2  0x804ec58 in pamconv (num_msg=1, msg=0xbfffeca0, resp=0xbfffeca4, 
    appdata_ptr=0x0) at auth-pam.c:43
#3  0x40019911 in __get_authtok () from /lib/security/pam_unix.so
#4  0x40017a5d in pam_sm_authenticate () from /lib/security/pam_unix.so
#5  0x4004f648 in pam_fail_delay () from /lib/libpam.so.0
#6  0x4004f9ce in _pam_dispatch () from /lib/libpam.so.0
#7  0x400512cc in pam_authenticate () from /lib/libpam.so.0
#8  0x804ef47 in auth_pam_password (pw=0xbffff24c, password=0x80826c0
"asdf")
    at auth-pam.c:136
#9  0x804c75d in do_authloop (pw=0xbffff24c) at sshd.c:1445
#10 0x804c329 in do_authentication () at sshd.c:1248
#11 0x804bb58 in main (ac=4, av=0xbffff8a4) at sshd.c:873


I hope this report helps finding the bug. If you would like me to
perform further tests, please let me know.

Best regards,

Stefan 
and Bernd (who originally found this behavior)

-------------------------------------------------------------------
Email:    Stefan.Heinrichs at uni-konstanz.de
Address:  Fakulaet fuer Physik, Universitaet Konstanz,
          Universitaetsstr.10, 78457 Konstanz, Germany
Phone:    +49 7531 88 3814

On Wed, 2 Feb 2000, Stefan Heinrichs wrote:
> Hi,
> 
> I would like to report a bug in OpenSSH-1.2.2 (release) under Linux.
> 
> Under certain conditions the sshd client process segfaults while doing
> the password authentification. I have observed the behaviour with
This has been fixed:

Index: sshd.c
==================================================================RCS file:
/var/cvs/openssh/sshd.c,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -r1.55 -r1.56
--- sshd.c	2000/01/26 00:07:22	1.55
+++ sshd.c	2000/02/02 14:07:08	1.56
@@ -1524,8 +1524,10 @@
 			return;
 		}
 
-		if (client_user != NULL)
+		if (client_user != NULL) {
 			xfree(client_user);
+			client_user = NULL;
+		}
 
 		if (attempt > AUTH_FAIL_MAX)
 			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);


-d
 

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)