[krbdev.mit.edu #2661] fake_getaddrinfo on address that doesn't reverse resolve causes crash
Ken Raeburn
raeburn at MIT.EDU
Mon Aug 9 15:07:16 EDT 2004
On Aug 9, 2004, at 13:50, Alexandra Ellwood via RT wrote:
> I tried to ssh to a machine whose name doesn't reverse resolve
> (meeroh.org) and ssh
> crashed. The last ssh log messages are:
>
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693
> debug3: Trying to reverse map address 204.188.130.39.
> Bus error
>
> The crash logs says we are to blame.
>
> Host Name: elmekia-flame.mit.edu
> Date/Time: 2004-08-09 11:46:40 -0400
> OS Version: 10.3.4 (Build 7H63)
> Report Version: 2
>
> Command: ssh
> Path: /usr/bin/ssh
> Version: ??? (???)
> PID: 27202
> Thread: 0
>
> Exception: EXC_BAD_ACCESS (0x0001)
> Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
>
> Thread 0 Crashed:
> 0 libSystem.B.dylib 0x90006e40 strlen + 0x20
> 1 libSystem.B.dylib 0x9000cf58 strdup + 0x18
> 2 edu.mit.Kerberos 0x200a2784 fai_add_hosts_by_name + 0x234
> 3 edu.mit.Kerberos 0x200a23d0 fake_getaddrinfo + 0x1b4
> 4 edu.mit.Kerberos 0x200a1f54 krb5_sname_to_principal + 0xbc
> 5 edu.mit.Kerberos 0x20076148 krb5_gss_import_name + 0x114
> This is the krb5 trunk (fake-addrinfo.h revision 1.49) and Panther
> (10.3.4).
> Assigned to Ken because I think he worked on the fake getaddrinfo
> stuff last.
Yep, probably so.
I see two calls to strdup in that code. I'd guess that the two most
likely failure cases are (1) getaddrinfo with the AI_CANONNAME flag set
returns a NULL ai_canonname field, which may be violating the spec, if
only I had some clue what spec Apple is actually trying to adhere to
(getaddrinfo man page, anyone?), or (2) allocation fails in one strdup
call, and the return value isn't checked, so the second call site may
get a NULL pointer. (Actually, function inline expansion could add one
more, but it should only call strdup(NULL) if a NULL hostname is passed
in.) I can add checks for these.
However, "ssh meeroh.org -vvv" doesn't crash for me, at least before
the point of asking me to check the fingerprint of the key, using
/usr/bin/ssh on Panther.
Ken
More information about the krb5-bugs
mailing list