Re: samplesshd: Segmentation fault

[Eugene Starozhilov <estarozhilov@xxxxxxxxx>]

Hello  Aris,

I checked samplesshd  memory management using valgrind utility

valgrind --tool=memcheck --leak-check=full -v  ./samplesshd -p 1552 -l aris 2>valgrid.log

and got
.................................................
==30944== Invalid write of size 1
==30944==    at 0x4906C70: memset (mac_replace_strmem.c:464)
==30944==    by 0x4A269E2: message_new (messages.c:58)
==30944==    by 0x4A26CA9: handle_userauth_request (messages.c:127)
==30944==    by 0x4A283F5: ssh_message_get (messages.c:684)
==30944==    by 0x401451: main (samplesshd.c:72)
==30944==  Address 0x4B86100 is 0 bytes inside a block of size 176 free'd
==30944==    at 0x490555D: free (vg_replace_malloc.c:235)
==30944==    by 0x4A288F6: ssh_message_free (messages.c:788)
==30944==    by 0x401516: main (samplesshd.c:99)
==30944==
==30944== Invalid write of size 1
==30944==    at 0x4906C7D: memset (mac_replace_strmem.c:464)
==30944==    by 0x4A269E2: message_new (messages.c:58)
==30944==    by 0x4A26CA9: handle_userauth_request (messages.c:127)
==30944==    by 0x4A283F5: ssh_message_get (messages.c:684)
==30944==    by 0x401451: main (samplesshd.c:72)
==30944==  Address 0x4B86101 is 1 bytes inside a block of size 176 free'd
==30944==    at 0x490555D: free (vg_replace_malloc.c:235)
==30944==    by 0x4A288F6: ssh_message_free (messages.c:788)
==30944==    by 0x401516: main (samplesshd.c:99)
==30944==
==30944== Invalid write of size 8
==30944==    at 0x4A269EB: message_new (messages.c:59)
==30944==    by 0x4A26CA9: handle_userauth_request (messages.c:127)
==30944==    by 0x4A283F5: ssh_message_get (messages.c:684)
==30944==    by 0x401451: main (samplesshd.c:72)
==30944==  Address 0x4B86100 is 0 bytes inside a block of size 176 free'd
==30944==    at 0x490555D: free (vg_replace_malloc.c:235)
==30944==    by 0x4A288F6: ssh_message_free (messages.c:788)
==30944==    by 0x401516: main (samplesshd.c:99)
.................................................................

It shows that freed memory is used by memset in the message_new(SSH_SESSION *session).

Regards,
Eugene



--- On Wed, 12/2/09, Aris Adamantiadis <aris@xxxxxxxxxxxx> wrote:

From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Subject: Re: samplesshd:  Segmentation fault
To: libssh@xxxxxxxxxx
Date: Wednesday, December 2, 2009, 8:17 AM

Hello Eugene,

I will try to understand what happened, because this is not a known issue.
I keep you in touch.

Regards,

Aris
Eugene Starozhilov wrote:
> Hello!
> 
> I am trying to use libssh-0.3.4 for my project.  I will need a server component. I tested sample for ssh client and server (smaplesshd and sample).  During the connection samplesshd crashes with core dump:
> 
> $gdb ./samplesshd /var/crash/core.6450
> GNU gdb Red Hat Linux (6.3.0.0-1.159.el4rh)
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/tls/libthread_db.so.1".
> 
> Core was generated by `./samplesshd -p 1553'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /mnt/LogVol06/starozhe/libssh/libssh/libssh.so.3...done.
> Loaded symbols for /mnt/LogVol06/starozhe/libssh/libssh/libssh.so.3
> Reading symbols from /usr/lib64/libz.so.1...done.
> Loaded symbols for /usr/lib64/libz.so.1
> Reading symbols from /lib64/libcrypto.so.4...done.
> Loaded symbols for /lib64/libcrypto.so.4
> Reading symbols from /lib64/tls/libc.so.6...done.
> Loaded symbols for /lib64/tls/libc.so.6
> Reading symbols from /usr/lib64/libgssapi_krb5.so.2...done.
> Loaded symbols for /usr/lib64/libgssapi_krb5.so.2
> Reading symbols from /usr/lib64/libkrb5.so.3...done.
> Loaded symbols for /usr/lib64/libkrb5.so.3
> Reading symbols from /lib64/libcom_err.so.2...done.
> Loaded symbols for /lib64/libcom_err.so.2
> Reading symbols from /usr/lib64/libk5crypto.so.3...done.
> Loaded symbols for /usr/lib64/libk5crypto.so.3
> Reading symbols from /lib64/libresolv.so.2...done.
> Loaded symbols for /lib64/libresolv.so.2
> Reading symbols from /lib64/libdl.so.2...done.
> Loaded symbols for /lib64/libdl.so.2
> Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> #0  0x00000035e44697f1 in _int_malloc () from /lib64/tls/libc.so.6
> (gdb) bt
> #0  0x00000035e44697f1 in _int_malloc () from /lib64/tls/libc.so.6
> #1  0x00000035e446b6d2 in malloc () from /lib64/tls/libc.so.6
> #2  0x00000035e9a4d65b in CRYPTO_malloc () from /lib64/libcrypto.so.4
> #3  0x00000035e9a9c124 in EVP_DigestInit_ex () from /lib64/libcrypto.so.4
> #4  0x00000035e9a978f1 in RAND_SSLeay () from /lib64/libcrypto.so.4
> #5  0x00000035e9a97b26 in RAND_SSLeay () from /lib64/libcrypto.so.4
> #6  0x0000002a9556d985 in ssh_get_random (where=0x7fbffff520, len=13, strong=0)
>     at /home/starozhe/libssh-0.3.4/libssh/dh.c:92
> #7  0x0000002a9557a0d1 in packet_send2 (session=0x506dc0) at /home/starozhe/libssh-0.3.4/libssh/packet.c:466
> #8  0x0000002a9557a276 in packet_send (session=0x506dc0) at /home/starozhe/libssh-0.3.4/libssh/packet.c:591
> #9  0x0000002a95576312 in ssh_message_auth_reply_default (msg=0x507940, partial=0)
>     at /home/starozhe/libssh-0.3.4/libssh/messages.c:296
> #10 0x0000002a95577658 in ssh_message_reply_default (msg=0x507940) at /home/starozhe/libssh-0.3.4/libssh/messages.c:744
> #11 0x0000000000401503 in main (argc=1, argv=0x7fbffff7b8) at /home/starozhe/libssh-0.3.4/samplesshd.c:92
> 
> It is Red Hat Enterprise Linux AS release 4 (Nahant Update 7)
> gcc version 3.4.6 20060404 (Red Hat 3.4.6-10)
> 
> Any help would be appreciated.
> 
> By the way I found a small bug in the server.c code:
> variable  session->log_verbosity doesn't get set.
> That can be fixed by changing line 232
>  session->options = ssh_options_copy(ssh_bind->options);
> to
>  ssh_set_options(session, ssh_options_copy(ssh_bind->options));
> 
> Regards,
> Eugene Starozhilov
> 
> 
> 
> 
> 
>