[Bug 1633] Race condition in ssh-agent AUTH_CONNECTION

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Aug 19 06:46:29 EST 2009


https://bugzilla.mindrot.org/show_bug.cgi?id=1633



--- Comment #2 from Damien Miller <djm at mindrot.org> 2009-08-19 06:46:27 EST ---
... and here is a theory on how it occurs:

on a heavily loaded ssh-agent, we can create a new socket in the
ssh-agent.c:after_select() loop, via the AUTH_SOCKET case calling
new_socket(). This might increase sockets_alloc past the value it had
when execution enters after_select().

The for() loop in after_select() can therefore progress into sockets
that did not exist when select() and, critically, prepare_select() was
called. prepare_select() sizes and clears the fd_sets that select()
subsequently populates and after_select() tests.

So a new AUTH_CONNECTION socket whose creation increments sockets_alloc
can cause after_select to test past the end of the allocated fd_sets
and might (depending on what it finds) treat them as ready for reading.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list