I found a place where all FDs from 3 and up are closed with a closefrom() call,
and this is done twice. This would seem to provide the opportunity for
getaddrinfo() to open a socket on FD 3, which is then closed again before
getaddrinfo is done with it. Here are the two closefrom()s:
session.c: 1607 (the closefrom(3) occurs inside the child_close_fds()
function):
/*
* Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important
* that we do not shutdown it. Note that the descriptors cannot be
* closed before building the environment, as we call
* ssh_remote_ipaddr there.
*/
child_close_fds(ssh);
Then closefrom(3) is called a second time in the same do_child() function at
session.c: 1663:
closefrom(STDERR_FILENO + 1);
I believe this exposes gettaddrinfo() running in a different thread to the
condition described in BZ #12926:
12926 - getaddrinfo()/make_request() may spin
forever<https://sourceware.org/bugzilla/show_bug.cgi?id=12926>
I also see that both of these closefrom calls have been in place for many
years. Is there a reason this FD cleanup is being done twice?
David Eoll
Microsoft Corp.
