[krbdev.mit.edu #2661] fake_getaddrinfo on address that doesn't reverse resolve causes crash

Ken Raeburn via RT rt-comment at krbdev.mit.edu
Mon Aug 9 15:07:21 EDT 2004 

On Aug 9, 2004, at 13:50, Alexandra Ellwood via RT wrote:
> I tried to ssh to a machine whose name doesn't reverse resolve 
> (meeroh.org) and ssh
> crashed.  The last ssh log messages are:
>
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693
> debug3: Trying to reverse map address 204.188.130.39.
> Bus error
>
> The crash logs says we are to blame.
>
> Host Name:      elmekia-flame.mit.edu
> Date/Time:      2004-08-09 11:46:40 -0400
> OS Version:     10.3.4 (Build 7H63)
> Report Version: 2
>
> Command: ssh
> Path:    /usr/bin/ssh
> Version: ??? (???)
> PID:     27202
> Thread:  0
>
> Exception:  EXC_BAD_ACCESS (0x0001)
> Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
>
> Thread 0 Crashed:
> 0   libSystem.B.dylib 	0x90006e40 strlen + 0x20
> 1   libSystem.B.dylib 	0x9000cf58 strdup + 0x18
> 2   edu.mit.Kerberos  	0x200a2784 fai_add_hosts_by_name + 0x234
> 3   edu.mit.Kerberos  	0x200a23d0 fake_getaddrinfo + 0x1b4
> 4   edu.mit.Kerberos  	0x200a1f54 krb5_sname_to_principal + 0xbc
> 5   edu.mit.Kerberos  	0x20076148 krb5_gss_import_name + 0x114

> This is the krb5 trunk (fake-addrinfo.h revision 1.49) and Panther 
> (10.3.4).
> Assigned to Ken because I think he worked on the fake getaddrinfo 
> stuff last.

Yep, probably so.

I see two calls to strdup in that code.  I'd guess that the two most 
likely failure cases are (1) getaddrinfo with the AI_CANONNAME flag set 
returns a NULL ai_canonname field, which may be violating the spec, if 
only I had some clue what spec Apple is actually trying to adhere to 
(getaddrinfo man page, anyone?), or (2) allocation fails in one strdup 
call, and the return value isn't checked, so the second call site may 
get a NULL pointer.  (Actually, function inline expansion could add one 
more, but it should only call strdup(NULL) if a NULL hostname is passed 
in.)  I can add checks for these.

However, "ssh meeroh.org -vvv" doesn't crash for me, at least before 
the point of asking me to check the fingerprint of the key, using 
/usr/bin/ssh on Panther.

Ken

More information about the krb5-bugs mailing list