[Bug 1633] Race condition in ssh-agent AUTH_CONNECTION
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Aug 19 06:46:29 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1633
--- Comment #2 from Damien Miller <djm at mindrot.org> 2009-08-19 06:46:27 EST ---
... and here is a theory on how it occurs:
on a heavily loaded ssh-agent, we can create a new socket in the
ssh-agent.c:after_select() loop, via the AUTH_SOCKET case calling
new_socket(). This might increase sockets_alloc past the value it had
when execution enters after_select().
The for() loop in after_select() can therefore progress into sockets
that did not exist when select() and, critically, prepare_select() was
called. prepare_select() sizes and clears the fd_sets that select()
subsequently populates and after_select() tests.
So a new AUTH_CONNECTION socket whose creation increments sockets_alloc
can cause after_select to test past the end of the allocated fd_sets
and might (depending on what it finds) treat them as ready for reading.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list