[Bug 3906] Misusing 'Match Host' in server config causes a crash at deferred connection time
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Dec 19 09:24:25 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3906
--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Adding some debugging we can see it gets as far as subsystem_command:
debug1: M_CP_STRARRAYSTROPT subsystem_name
debug1: M_CP_STRARRAYSTROPT subsystem_command
It's a two-part macro where the first part is in servconf.h:
M_CP_STRARRAYOPT(subsystem_name, num_subsystems); \
M_CP_STRARRAYOPT(subsystem_command, num_subsystems); \
M_CP_STRARRAYOPT(subsystem_args, num_subsystems); \
and the second part is:
#define M_CP_STRARRAYOPT(s, num_s) do {\
u_int i; \
debug("M_CP_STRARRAYSTROPT %s", #s); \
if (src->num_s != 0) { \
for (i = 0; i < dst->num_s; i++) \
free(dst->s[i]); \
free(dst->s); \
dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
for (i = 0; i < src->num_s; i++) \
dst->s[i] = xstrdup(src->s[i]); \
dst->num_s = src->num_s; \
} \
} while(0)
Program received signal SIGSEGV, Segmentation fault.
0x0000555555568e8a in copy_set_server_options (dst=0x55555566c060
<options>,
src=0x7fffffffd490, preauth=0) at ../../servconf.c:3016
3016 COPY_MATCH_STRING_OPTS();
(gdb) print src->num_subsystems
$2 = 1
(gdb) print src->subsystem_name[0]
$2 = 0x5555556c5df0 "sftp"
(gdb) print src->subsystem_command[0]
$3 = 0x5555556c5e10 "internal-sftp"
(gdb) print dst->num_subsystems
$4 = 1
(gdb) print dst->subsystem_command[0]
Cannot access memory at address 0x0
I think what's happening is that M_CP_STRARRAYOPT first copies
subsystem_name and sets dst->num_subsystems, then when it goes to
process subsystem_command it thinks there is already one entry in
dst->subsystem_command[] that needs to be freed, which there isn't.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list