[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SIGSEGV on master on ssh_channel_free

Subject: Re: SIGSEGV on master on ssh_channel_free
From: Jason Curl <jason@xxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Sat, 20 May 2017 17:29:27 +0200
To: <libssh@xxxxxxxxxx>


On 20/05/2017 14:19, Jason Curl wrote:

Hello,

My .NET wrapper (prototype) of libssh is crashing on ssh_channel_free() with
a SIGSEGV. I've compiled abbd6e3 with MSYS2 32-bit with GCC 6.3.0 (see
attachment for cmake output). I'm running on Windows 10 64-bit release 1703.

$ cmake -G"Unix Makefiles" -DCMAKE_INSTALL_PREFIX=/usr/local
-DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..

Using GDB to debug I get the following information:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cd847c in ssh_list_get_iterator (list=0xfeeefeee)
     at C:/msys64/home/jcurl/libssh/src/misc.c:382
382       return list->root;
(gdb) bt
#0  0x61cd847c in ssh_list_get_iterator (list=0xfeeefeee)
     at C:/msys64/home/jcurl/libssh/src/misc.c:382
#1  0x61cd8491 in ssh_list_find (list=0xfeeefeee, value=0x55101f0)
     at C:/msys64/home/jcurl/libssh/src/misc.c:387
#2  0x61cc771c in ssh_channel_do_free (channel=0x55101f0)
     at C:/msys64/home/jcurl/libssh/src/channels.c:1037
#3  0x61cc76f1 in ssh_channel_free (channel=0x55101f0)
     at C:/msys64/home/jcurl/libssh/src/channels.c:1025
#4  0x014921cd in ?? ()
#5  0x014952f6 in ?? ()

The other frames are from the CLR and are uninteresting.

Sometimes I also get:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
     at C:/msys64/home/jcurl/libssh/src/buffer.c:108
108       if (buffer->data) {
(gdb) bt
#0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
     at C:/msys64/home/jcurl/libssh/src/buffer.c:108
#1  0x61cc774b in ssh_channel_do_free (channel=0x157c230)
     at C:/msys64/home/jcurl/libssh/src/channels.c:1041
#2  0x61cc76f1 in ssh_channel_free (channel=0x157c230)
     at C:/msys64/home/jcurl/libssh/src/channels.c:1025

My .NET program is simple. It does the following logical steps:

ssh_init();
m_Session = ssh_new();
ssh_options_set(m_Session, SSH_OPTIONS_COMPRESSION_LEVEL, 9);
ssh_options_set(m_Session, SSH_OPTIONS_HOST, "mylinuxserver.home.lan");
ssh_options_set(m_Session, SSH_OPTIONS_USER, "myuser");
ssh_connect(m_Session);  // Returns SSH_OK
ssh_pki_import_privkey_file("myprivatekey", null, null, null, &key);
ssh_userauth_none(m_Session, null);  // Returns SSH_AUTH_DENIED as expected
ssh_userauth_try_publickey(m_Session, null, key);  // Returns
SSH_AUTH_SUCCESS as expected
ssh_userauth_publickey(m_Session, null, key);
m_Channel = ssh_channel_new(m_Session);  // returns a pointer

Further testing shows that the next two commands are not necessary.Commenting out ssh_channel_open_session and ssh_channel_request_execreproduces a crash on master also.

ssh_channel_open_session(m_Channel);  // returns SSH_OK
ssh_channel_request_exec(m_Channel, "ps aux");
ssh_disconnect(m_Session);
ssh_channel_free(m_Channel);  // CRASH HERE

The crash I get in GDB is:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/buffer.c:108
108       if (buffer->data) {
(gdb) bt full 4
#0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/buffer.c:108
No locals.
#1  0x61cc774b in ssh_channel_do_free (channel=0xe5c1e8)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1041
        it = 0x0
        session = 0xe5bfc8
#2  0x61cc76f1 in ssh_channel_free (channel=0xe5c1e8)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1025
        session = 0xe5bfc8
#3  0x00d621d5 in ?? ()
No symbol table info available.
(More stack frames follow...)
(gdb)

Googling, it appears that the MS function HeapFree() sets values to0xFEEEFEEE. It's pretty tough to try and breakpoint a .NET program but Ididn't observe any calls to ssh_free.


Create Channel from session: 26251480 0x19090D8

Thread 1 hit Breakpoint 1, ssh_channel_new (session=0x19090d8)
    at C:/msys64/home/jcurl/libssh/src/channels.c:80

Create Channel: 26264040 0x190C1E8

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/buffer.c:108
108       if (buffer->data) {
(gdb) bt ful 4
#0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/buffer.c:108
No locals.
#1  0x61cc774b in ssh_channel_do_free (channel=0x190c1e8)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1041
        it = 0x0
        session = 0x190bfc8
#2  0x61cc76f1 in ssh_channel_free (channel=0x190c1e8)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1025
        session = 0x190bfc8
#3  0x031a21d5 in ?? ()

ssh_channel_free is given the value m_Channel, but isn't the value ofsession in frame #1 expected to be 0x19090D8 and not 0x190bfc8?

And I think I've found the problem. I'm calling ssh_disconnect whichappears to also free the channel. And now the crash doesn't appear tooccur when I remove the disconnect.

Follow-Ups:
Re: SIGSEGV on master on ssh_channel_free	Tilo Eckert <tilo.eckert@xxxxxxx>

References:
SIGSEGV on master on ssh_channel_free	Jason Curl <jason@xxxxxxxxxxxxxxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org