[Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jun 26 14:03:32 EST 2012


https://bugzilla.mindrot.org/show_bug.cgi?id=2022

             Bug #: 2022
           Summary: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled
                    resolver and a CNAME
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.0p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: gregdlg+mr at hochet.info


Created attachment 2166
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2166
Short example

Hello,

Under the following conditions, SSH crash:
- SSH is compiled with ldns for DNS support
- You use a DNS resolver with DNSSEC enabled
- You have SSHFP keys
- You attempt to connect through a CNAME (instead of the host name, see
attachment)

I have tracked the problem down to the file
openbsd-compat/getrrsetbyname-ldns.c

In function getrrsetbyname, when the DNS resolver sets the ad flags,
ssh doesn't allocate memory to contain RRSIG signatures. However it
still attempts to copy those signatures from the DNS answer. If
rrset->rri_sigs is null, rdata = &rrset->rri_sigs[0] is still null and
the signature is ignored later in the code. Luckily, most of the time,
you only have one signature and there is no problem. If you have a
CNAME, you got two signatures and &rrset->rri_sigs[1] is no not null
hence the segfault.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list