Hello,
I have been playing with valgrind + openssh-3.5p1 as
distributed in Red Hat 9. In the report, I get this:
==1059== Invalid read of size 4
==1059== at 0x40170B7D: vgAllRoadsLeadToRome_select
(vg_intercept.c:612)
==1059== by 0x40170DF2: __select (vg_intercept.c:681)
==1059== by 0x804E4C6: (within /usr/sbin/sshd)
==1059== by 0x403DC5CC: __libc_start_main (in
/lib/libc-2.3.2.so)
==1059== by 0x804C560: (within /usr/sbin/sshd)
==1059== Address 0x41363BFC is 0 bytes after a block of
size 4 alloc'd
==1058== checked 5467064 bytes.
This turns out to be around line 1261 in sshd.c:
fd_set *fdset;
...snip...
fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
fdset = (fd_set *)xmalloc(fdsetsz);
...snip...
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
My question is why don't you use:
fdsetsz = sizeof( fd_set );
The 2.4.20 Linux kernel defines fd_set like this:
#define __NFDBITS (8 * sizeof(unsigned long))
#define __FD_SETSIZE 1024
#define __FDSET_LONGS (__FD_SETSIZE/__NFDBITS)
typedef struct {
unsigned long fds_bits [__FDSET_LONGS];
} __kernel_fd_set;
This is a different size than the code in openssh.
XFree86's Xpoll.h has a definition for fd_set, but its
wrapped with #ifdef BSD. It's just like the one in openssh,
but not used under linux.
So, what's your thoughts? Could a test be put into
configure and platforms that have fd_set use the
sizeof(fd_set) and those that need the BSD style, do
something different?
I'm not sure what the effects of this problem are. Valgrind
also shows an illegal memory write upon return from select.
Best Regards,
Steve Grubb
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
