[Bug 3581] New: ssh-keyscan fails with `fdlim_get: bad value` with large file descriptor limit due to type confusion

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jun 21 01:42:26 AEST 2023 

https://bugzilla.mindrot.org/show_bug.cgi?id=3581

            Bug ID: 3581
           Summary: ssh-keyscan fails with `fdlim_get: bad value` with
                    large file descriptor limit due to type confusion
           Product: Portable OpenSSH
           Version: 9.3p1
          Hardware: ARM64
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keyscan
          Assignee: unassigned-bugs at mindrot.org
          Reporter: janerik at fnordig.de

ssh-keyscan fails with an obscure `fdlim_get: bad value` error when the
values returned from `sysconf(_SC_OPEN_MAX)` does not fit into the 32
bits of an `int`.

This happens on my M1 MacBook (with the system-provided `ssh-keyscan`)
where I somehow have an `unlimited` file descriptor limit (which really
is `INT64_MAX` or `9223372036854775807`, note that this seems
non-standard).

Changing the limit to something below `INT_MAX` works.
And then `ssh-keyscan` picks `maxfd=256` anyway.

See this shell session:

```
$ ulimit -n
unlimited
$ ssh-keyscan -t ed25519 github.com
ssh-keyscan: fdlim_get: bad value
$ ulimit -n 4294967295
$ ssh-keyscan -t ed25519 github.com
ssh-keyscan: fdlim_get: bad value
$ ulimit -n 2147483648
$ ssh-keyscan -t ed25519 github.com
ssh-keyscan: fdlim_get: bad value
$ ulimit -n 2147483647
$ ssh-keyscan -t ed25519 github.com
# github.com:22 SSH-2.0-babeld-6732d282
github.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
```

Looking at the code of openssh-portable here[1] shows that `fdlim_get`
returns an `int`, but the fields of `struct rlimit` and the return
value of `sysconf`[2] are `long`, thus 64-bit.

Given that large values like on my machine probably are not set too
often this probably won't affect many people. And a simple workaround
exists.
So maybe this is a wontfix, but I figured I'd still report it and let
you decide.

[1]:
https://github.com/openssh/openssh-portable/blob/b4ac435b4e67f8eb5932d8f59eb5b3cf7dc38df0/ssh-keyscan.c#L129-L130
[2]: `SSH_SYSFDMAX` is defined as `sysconf(_SC_OPEN_MAX)`

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list