[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bugfix T124 connector: Fallback on the socket output callback leads to SIGSEGV

Subject: Re: Bugfix T124 connector: Fallback on the socket output callback leads to SIGSEGV
From: g4-lisz@xxxxxxxxxxxx
Reply-to: libssh@xxxxxxxxxx
Reply-to: libssh@xxxxxxxxxx
Date: Sun, 24 Mar 2019 14:56:32 +0100
To: libssh@xxxxxxxxxx
Cc: davidwe@xxxxxxxxx, "asn@xxxxxxxxxxxxxx >> Andreas Schneider" <asn@xxxxxxxxxxxxxx>

On 24.03.19 12:49, g4-lisz@xxxxxxxxxxxx wrote:

> Hi there,
>
> The commit
> https://git.libssh.org/projects/libssh.git/commit/?id=b73ffb3f91ea26412482d145512e4261df903df7
> to fix ticket T124 introduces a new issue.
>
> On certain constellations, calling ssh_event_dopoll() leads to a SIGSEGV:
>
> #0  0x0000000000000090 in ?? ()
> #1  0x00007ffff7b6c272 in ssh_packet_socket_controlflow_callback
> (code=2, userdata=0x611e80) at /home/till/libssh-master/src/packet.c:1388
> #2  0x00007ffff7b7a3c8 in ssh_socket_pollcallback (p=0x6125c0, fd=5,
> revents=4, v_s=0x611a50) at /home/till/libssh-master/src/socket.c:355
> #3  0x00007ffff7b75912 in ssh_poll_ctx_dopoll (ctx=0x7ffff0003180,
> timeout=20) at /home/till/libssh-master/src/poll.c:702
> #4  0x00007ffff7b75dd1 in ssh_event_dopoll (event=0x7ffff00027d0,
> timeout=20) at /home/till/libssh-master/src/poll.c:963
> #5  0x0000000000405387 in per_conn_thread (args=0x611e80) at
> src/ssh-direct-tcp.c:1254
>
> I could track this down to
>
> #define ssh_callbacks_execute_list(list, cbtype, c, ...)      \
>     do {                                                      \
>         struct ssh_iterator *i = ssh_list_get_iterator(list); \
>         cbtype cb;                                            \
>         while (i != NULL){                                    \
>             cb = ssh_iterator_value(cbtype, i);               \
>             if (ssh_callbacks_exists(cb, c))                  \
>                 cb-> c (__VA_ARGS__, cb->userdata);           \
>             i = i->next;                                      \
>         }                                                     \
>     } while(0)

There was missing some information in my first mail:

- The application which crashes since this change does not use
connectors at all.

- The problem disappears when removing the line
          ssh_packet_register_socket_callback(session, session->socket);
   from server.c in ssh_server_connection_callback() .

When adding the line frome above, ssh_event_dopoll() apparently calls
channel_write_wontblock_function CBs of every channel in the session.

Now the problem is that for adding channel CBs of my own, I was simply
using this code:

struct ssh_channel_callbacks_struct *cb_chan;
cb_chan = malloc(sizeof *cb_chan);
ssh_callbacks_init(cb_chan);
cb_chan->channel_data_function = my_channel_data_function;

I don't set /.channel_write_wontblock_function/. So this field is
undefined, and that's where the problem comes from.

Now I could solve it by simply zeroing the CB structures:

cb_chan = malloc(sizeof *cb_chan);
(*cb_chan) = (const struct ssh_channel_callbacks_struct){ 0 };

Cheers,
Till

References:
Bugfix T124 connector: Fallback on the socket output callback leads to SIGSEGV	g4-lisz@xxxxxxxxxxxx

Archive administrator: postmaster@lists.cynapses.org