[Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jun 26 14:03:32 EST 2012
https://bugzilla.mindrot.org/show_bug.cgi?id=2022
Bug #: 2022
Summary: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled
resolver and a CNAME
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: gregdlg+mr at hochet.info
Created attachment 2166
--> https://bugzilla.mindrot.org/attachment.cgi?id=2166
Short example
Hello,
Under the following conditions, SSH crash:
- SSH is compiled with ldns for DNS support
- You use a DNS resolver with DNSSEC enabled
- You have SSHFP keys
- You attempt to connect through a CNAME (instead of the host name, see
attachment)
I have tracked the problem down to the file
openbsd-compat/getrrsetbyname-ldns.c
In function getrrsetbyname, when the DNS resolver sets the ad flags,
ssh doesn't allocate memory to contain RRSIG signatures. However it
still attempts to copy those signatures from the DNS answer. If
rrset->rri_sigs is null, rdata = &rrset->rri_sigs[0] is still null and
the signature is ignored later in the code. Luckily, most of the time,
you only have one signature and there is no problem. If you have a
CNAME, you got two signatures and &rrset->rri_sigs[1] is no not null
hence the segfault.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list