search for: fatal_cleanup

...ile working on something I noticed core dumps from sshd. They don't seem to be related to what I was working on. It's from the process forked to run the shell. Just after the fork, fatal_remove_all_cleanups() is called, which looks like: fatal_remove_all_cleanups(void) { struct fatal_cleanup *cu, *next_cu; for (cu = fatal_cleanups; cu; cu = next_cu) { next_cu = cu->next; xfree(cu); } } It runs through free'ing the structs, but it leaves the global fatal_cleanups pointing to the first struct. If called later, fatal_cleanup() at...

...ing doubly defined. The patch below deletes the new "ssh-keyscan.c:fatal()" function and and restores the "ssh-keyscan.c:fatal_callback()" function with modifi- cations. The problem that both attempt to alleviate is the setting of the <called> variable in the "log.c:fatal_cleanup()" function. In the current code, it can be called once only. The second time it's called, an immediate "exit(255)" is executed. Unfortunately, `ssh-keyscan' wants to ignore fatal errors encountered while accessing the server's keys so this is not good thing. My perso...

...is_on_socket()) { + fromlen = sizeof(from); + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + fatal_cleanup(); + } + } + + record_utmp_only(pid, s->tty, s->pw->pw_name, + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); +} +#endif + /* * This is called to fork and execute a command when we have no tt...

Hi, I am using ssh-keyscan with a list of hosts, such as: ssh-keyscan -t rsa -f hosts_for_keyscan Some of the hosts in the list have dsa, but no rsa keys. For such hosts, the command displays: no hostkey alg When this is the case for 2 hosts, this message appears twice AND SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are returned for the following hosts. Here is the part of the

...may send SSH_MSG_DISCONNECT, for immediate disconnect, I am surprised that this is the normal exit method used in putty implementation. I fear that any addition of code after server_loop, to be done once the connection is closed by the server might not get called, as it now is redirected to fatal_cleanup(). Is this normal and do other implementations follow this? And I would also like to know about the ssh hang-on-exit problem. Why is it necessary to redirect stdin to /dev/null to prevent this? How does this end processes running in background? Expecting your reply, Hari. _______...

...ded ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-01-27 11:39 ------- Assuming it's the fatal_cleanup() thing (there's no information to disprove this and it certainly looks like it), this is now fixed. 20030114 - markus at cvs.openbsd.org 2003/01/11 18:29:43 [log.c] set fatal_cleanups to NULL in fatal_remove_all_cleanups(); ------- You are receiving this mail because: -------...

I'm getting core dumps from sshd when logging in using password authentication (using a public key works just fine). The core dump occurs just after entering a password--whether that password is correct or not. It only happens on this one machine. I've tried recompiling the entire setup--zlib, openssl & openssh--and the crash still occurs. It doesn't look like the putty-failure

...0. + */ + memset(&from, 0, sizeof(from)); + if (packet_connection_is_on_socket()) { + fromlen = sizeof(from); + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + fatal_cleanup(); + } + } - /* record login, etc. similar to login(1) */ - if (!(options.use_login && command == NULL)) + /* print motd, etc. similar to login(1) */ + if (!(options.use_login && command == NULL)) { + /* Record that there was a login on that tty from the remote host. */ +...

...es them. Thanks. diff -ru openssh-1.2.2p1/canohost.c openssh-1.2.2p1-20000308/canohost.c --- openssh-1.2.2p1/canohost.c Fri Jan 14 13:45:48 2000 +++ openssh-1.2.2p1-20000308/canohost.c Wed Mar 8 00:25:18 2000 @@ -42,6 +42,22 @@ debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } + +#ifdef IPV4_IN_IPV6 + if (((struct sockaddr *)&from)->sa_family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED((&((struct sockaddr_in6 *)&from)->sin6_addr))){ + struct in_addr addr; + u_int16_t port; + memcpy(&addr, ((char *)&((struct sockaddr_in6 *)&fr...

...val_client() to evaluate and return the hostname. I also added the remote port to the "Closing" message, so that it could be correlated to the original connection. - also with sshd connection logging, I found that when using protocol2, it seems the daemon frequently exits with fatal_cleanup(), and execution doesn't return to main() to log the "connection closing" message. I don't understand the protocol well enough to know if there was a better way to have it handle the situation so that it actually does return to main. So, I did this: - added a rou...

...{ if (read(sock_in, &buf[i], 1) != 1) { + debug("version id %.100s, %d", strerror(errno), i); + if ((errno == EWOULDBLOCK) || (errno == EAGAIN)) { + i--; + continue; + } log("Did not receive ident string from %s.", get_remote_ipaddr()); fatal_cleanup(); } ---------------------------------------------------------------------------- -------- Steve Marquess 301-663-1770 x238 / 301-619-3933 voice DMLSS Technical Manager DSN 343-3933 JMLFDC 301-663-6788 / 301-619-7831 fax 623 Porter Street steve.marquess at amedd.army.mil Ft. Detr...

...&& !channel_still_open()) { debug("!channel_still_open."); break; } and returning to sshd.c:main() and logging the nice message, it continues to process_input(), gets a len==0 from the read(), and does: verbose("Connection closed by remote host."); fatal_cleanup(); Comparing the v1 server_loop and the v2 server_loop2, the v1 loop appears to have significantly more checks for breaking the loop: if (((fdout_eof && fderr_eof) || (child_terminated && child_has_selected)) && !packet_have_data_to_write() &&...

...{ + static char *canonical_host_ip = NULL; + + /* Check whether we have cached the ipaddr. */ + if (canonical_host_ip == NULL) { + if (packet_connection_is_on_socket()) { + canonical_host_ip = + get_local_ipaddr(packet_get_connection_out()); + if (canonical_host_ip == NULL) + fatal_cleanup(); + } else { + /* If not on socket, return UNKNOWN. */ + canonical_host_ip = xstrdup("UNKNOWN"); + } + } + return canonical_host_ip; + } + + /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. *** openssh-2.9.9p2/can...

Ermmm.. bugzilla does not like return emails.=) ---------- Forwarded message ---------- Date: Wed, 23 Jan 2002 00:25:05 -0600 (CST) From: mouring at etoh.eviladmin.org To: bugzilla-daemon at mindrot.org Subject: Re: [Bug 75] Error compiling in ssh-agent.c > ------- Additional Comments From djm at mindrot.org 2002-01-23 17:16 ------- > AFAIK atexit() should only take one arg. It looks

...ving revision 1.1 diff -u -p -r1.1 fatal.c --- fatal.c 26 Feb 2002 19:24:22 -0000 1.1 +++ fatal.c 12 Sep 2003 09:54:15 -0000 @@ -36,5 +36,8 @@ fatal(const char *fmt,...) va_start(args, fmt); do_log(SYSLOG_LEVEL_FATAL, fmt, args); va_end(args); +#ifdef WITH_FATAL_COREDUMPS + abort(); +#endif fatal_cleanup(); }

...addr_6or4_len = sizeof(addr_6or4); + memset(&addr_6or4, 0, sizeof(addr_6or4)); + if (getsockname(socket, (struct sockaddr *) &addr_6or4, &addr_6or4_len) < 0) { + debug("getsockname failed: %.100s", strerror(errno)); + fatal_cleanup(); + } + #ifdef IPV4_IN_IPV6 + if (addr_6or4.ss_family == AF_INET6) { + struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)&addr_6or4; + + /* Detect IPv4 in IPv6 mapped address and convert it to */ + /* plain (AF_INET) IPv4 addre...

http://bugzilla.mindrot.org/show_bug.cgi?id=632 Summary: PAM conversation function does not return when connection is aborted Product: Portable OpenSSH Version: 3.6.1p2 Platform: All URL: http://www.cl.cam.ac.uk/~mgk25/otpw.html#opensshbug OS/Version: Linux Status: NEW Severity: major

...e 0.0.0.0. + */ + memset(&from, 0, sizeof(from)); + if (packet_connection_is_on_socket()) { + fromlen = sizeof(from); + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + fatal_cleanup(); + } + } + + record_utmp_only(pid, s->tty, s->pw->pw_name, + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); +} +#endif + /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) @@ -1511,6 +1546,...

...char *canonical_host_ip = NULL; + + /* Check whether we have cached the ipaddr. */ + if (canonical_host_ip == NULL) { + if (packet_connection_is_on_socket()) { + canonical_host_ip = + get_socket_address(packet_get_connection_in(), 0, NI_NUMERICHOST); + if (canonical_host_ip == NULL) + fatal_cleanup(); + } else { + /* If not on socket, return UNKNOWN. */ + canonical_host_ip = xstrdup("UNKNOWN"); + } + } + return canonical_host_ip; } char * Index: canohost.h =================================================================== RCS file: /cvs/openssh/canohost.h,v retrieving rev...

...d requests. However, the failure occurs after the allocation size has already been updated, so that the bookkeeping data structures are in an inconsistent state (the recorded size is larger than the actual allocation). Furthermore, the detection of these failures causes OpenSSH to invoke several `fatal_cleanup' handlers, some of which may then attempt to use these inconsistent data structures. For example, a handler may zero and free a buffer in this state, and as a result memory outside of the allocated area will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to cr...