> On Apr 10, 2023, at 7:24 AM, Darren Tucker <dtucker at dtucker.net>
wrote:
>
> On Mon, 10 Apr 2023 at 07:07, Peter Stuge <peter at stuge.se> wrote:
>>
>> Brian Candler wrote:
>>>> What's odd is that the length is *always* 1231976033 (which
is
>>>> 0x496E7661 or "Inva" in ASCII).
>
> One thing that can cause this is if the libc writes to stderr (ie fd
> 2) on some classes of error. This is something libc should probably
> not do, since in things that are not simple command line tools (say, a
> ssh daemon) may be using fd 2 for something else entirely.
>
>>> Could you get a tcpdump when this happens?
>>
>> Or debug output from at least the client (run ssh with -vvv) or
>> preferably the server (run sshd with -ddd).
>
> That's probably not going to show it, but strace'ing either the
client
> or the server will probably capture the error message in full.
>
> Since you're using 9.1, the message could be an "Invalid
free", since
> there was a double-free bug in that release :-(
>
Forgot to ask: does this bug manifest at any particular time, or just connection
initiation? Because I can see it happen on a connection that's been up for
days... either idle or experiencing heavy traffic... etc.
-Philip