https://bugzilla.suse.com/show_bug.cgi?id=1180501 https://bugzilla.suse.com/show_bug.cgi?id=1180501#c11 Hans Petter Jansson <hpj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS Flags|needinfo?(paka@opensuse.org | |) | --- Comment #11 from Hans Petter Jansson <hpj@suse.com> --- (In reply to Cristian Rodr��guez from comment #10)
On sshd.c
2042 -->ssh_packet_close(ssh); on line 2402 .. gabage because it has been messed up earlier by,,
2383 ������������/* The connection has been terminated. */ 2384 ������������packet_destroy_all(ssh, 1, 1); 2385 ������������destroy_sensitive_data(ssh, 1);
where packet_destroy_all invokes packet_destroy_state which cipher_free's first ...
this is a bug in the audit patch.
That's the anaylsis I could afford doing on my limited time to deal with this annoying crash.
Good analysis. I think the reason it doesn't always show up is that cipher_free() clears the struct with freezero(), and on the second call trying to free it again it will bail out on the cc->cipher == NULL precondition. However, if the allocator happens to reuse the memory range in between the two calls it will contain something else resulting in a bad deref or double free. The fix is to zero the pointers in packet_destroy_state() so they won't be followed later. I submitted rq#861491. I couldn't find any issues in my smoke test, but then I wasn't seeing the crash before either. Feel free to run your own tests with the origin project (home:hpjansson:branches:network/openssh). -- You are receiving this mail because: You are on the CC list for the bug.