[Bug 3941] New: MaxStartups: conversion from single int into new format crashes sshd

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Apr 1 18:37:14 AEDT 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3941

            Bug ID: 3941
           Summary: MaxStartups: conversion from single int into new
                    format crashes sshd
           Product: Portable OpenSSH
           Version: 10.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: peter.kaestle at nokia.com

The commit 683d0ab introduced a conversion issue, which converted
"MaxStartups 3" into "10:30:3".  This is wrong, as value1 > value3 and
it causes side effects leading to crash of sshd when MaxStartups
functionality is triggered with this error:
"error: mm_reap: child terminated by signal 15"


I provided a fix proposal here:
https://github.com/openssh/openssh-portable/pull/648/changes/9223c31b7d383d63bfbf81eedde87707f45fdf69

And also a proposal for refactoring the parsing part to be more robust
against such issues here:
https://github.com/openssh/openssh-portable/pull/648/changes/cfc7c0748f8860b983c78a9b97c8256f7ef4770c

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list