Hello,
If channel_by_id() in mux_master_control_cleanup_cb() fails to find the
session channel then pointer "sc" will be NULL when dereferenced.
Index: usr.bin/ssh/mux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/mux.c,v
retrieving revision 1.14
diff -u usr.bin/ssh/mux.c
--- usr.bin/ssh/mux.c 30 Jan 2010 02:54:53 -0000 1.14
+++ usr.bin/ssh/mux.c 27 Mar 2010 09:42:44 -0000
@@ -189,7 +189,7 @@
fatal("%s: channel_by_id(%i) == NULL", __func__, cid);
if (c->remote_id != -1) {
if ((sc = channel_by_id(c->remote_id)) == NULL)
- debug2("%s: channel %d n session channel %d",
+ fatal("%s: channel %d missing session channel %d",
__func__, c->self, c->remote_id);
c->remote_id = -1;
sc->ctl_chan = -1;
