Re: sshd segfaults with incomplete /etc/hosts

Mon, 12 May 2014 13:42:12 -0700 

On Sun, May 11, 2014 at 10:41 PM, Seth Hanford <[email protected]> wrote:

> While working on consolidating some firewalls, I ended up creating an
> incomplete /etc/hosts file entry. One line of that file was simply an IP
> address:
> 192.168.100.25
>
> Upon ssh from that host (.25) to my sshd server (192.168.100.4), the
> sshd on .4 segfaulted. Log output of /usr/sbin/sshd included below.
>
> It appears as if line 71 of canohost.c is not properly handling this
> hosts entry. I verified this on another host that I had at the same
> patch level & which I hadn't been messing around with. (all it took was
> to add the IP to /etc/hosts and 'pkill -HUP sshd')
>
> Obviously my /etc/hosts was wrong, but it seems like sshd shouldn't
> segfault here.

[...]

Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
 I've been kinda busy recently so I haven't kept up with recent changes so
I'm not sure exactly what's changed in there.  Looks like it should be
readily reproducible outside of sshd with a call to getnameinfo().

$ sudo gdb -q --args /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p
2022
(gdb) run
Starting program: /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p 2022
[...]
Program received signal SIGSEGV, Segmentation fault.
strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
43              for (s = str; *s; ++s)
(gdb) bt
#0  strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
#1  0x0154422d in hostent_set_cname (h=0x88f4f800, name=0x0,
isdname=Variable "isdname" is not available.
)
    at /usr/src/lib/libc/asr/gethostnamadr_async.c:580
#2  0x01544a65 in gethostnamadr_async_run (as=0x86bef800, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/gethostnamadr_async.c:452
#3  0x01558e13 in asr_run (as=0x86bef800, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/asr.c:199
#4  0x01541acf in getnameinfo_async_run (as=0x83012d00, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/getnameinfo_async.c:157
#5  0x01558e13 in asr_run (as=0x83012d00, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/asr.c:199
#6  0x01558e87 in asr_run_sync (as=0x83012d00, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/asr.c:224
#7  0x0154178b in getnameinfo (sa=0xcfbcc854, salen=16, host=0xcfbccdb0 "",
    hostlen=256, serv=0x0, servlen=0, flags=8)
    at /usr/src/lib/libc/asr/getnameinfo.c:47


-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply via email to