[Bug 2655] New: AuthorizedKeysCommand with large output can deadlock

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 30 17:42:56 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2655

            Bug ID: 2655
           Summary: AuthorizedKeysCommand with large output can deadlock
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jboning at gmail.com

If an AuthorizedKeysCommand produces a large amount of output, a
deadlock can result. The relevant code is in auth2-pubkey.c, beginning
at line 1041:

        if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
            ac, av, &f)) == 0)
                goto out;

        uid_swapped = 1;
        temporarily_use_uid(pw);

        ok = check_authkeys_file(f, options.authorized_keys_command,
key, pw);

        if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
                goto out;

Upon finding the correct public key in the command's output, we
immediately wait() for the command to exit. However, the command may
continue to generate output; if the subsequent output is large enough
to fill up the pipe's buffer, the command will block on write() and
never exit, resulting in deadlock.

I believe adding "fclose(f); f = NULL;" after the check_authkeys_file()
call will fix this. (There was indeed an fclose() after the
check_authkeys_file() call prior to v1.50 of auth2-pubkey.c)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list