openssh 2.3.0p1 crashes

Damien Miller djm at mindrot.org
Wed Dec 13 13:11:54 EST 2000 

On Tue, 12 Dec 2000, Christian Recktenwald wrote:

> System: RedHat 7.0, Kernel 2.2.17, glibc-2.1.92-14

Can you replicate with the glibc-2.2 errata RPM installed?

-d

> $ ssh chris at 172.16.5.2 -v
> SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
> Compiled with SSL (0x0090600f).
> debug: Reading configuration data /usr/local/app/openssh-2.3.0p1/etc/ssh_config
> debug: Seeding random number generator
> debug: ssh_connect: getuid 0 geteuid 0 anon 0
> debug: Connecting to 172.16.5.2 [172.16.5.2] port 22.
> debug: Seeding random number generator
> debug: Allocated local port 764.
> debug: Connection established.
> debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1
> debug: no match: OpenSSH_2.3.0p1
> debug: Local version string SSH-1.5-OpenSSH_2.3.0p1
> debug: Waiting for server public key.
> debug: Received server public key (768 bits) and host key (1024 bits).
> The authenticity of host '172.16.5.2' can't be established.
> RSA key fingerprint is ff:9c:c7:c2:1a:ee:93:20:7d:92:ee:c7:f9:99:55:fb.
> Are you sure you want to continue connecting (yes/no)? Segmentation fault
> 
> This happens if the public key of system I want to connect to 
> isn't known to the system I'm connecting from.
> 
> The local system does have access to a DNS server.
> 
> gdb says:
> 
> $ gdb  /usr/local/app/openssh-2.3.0p1/bin/ssh core
> GNU gdb 5.0
> Copyright 2000 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
> Core was generated by `ssh chris 172.16.5.2 -v'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/libNoVersion.so.1...done.
> Loaded symbols for /lib/libNoVersion.so.1
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /usr/lib/libz.so.1...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /lib/libutil.so.1...done.
> Loaded symbols for /lib/libutil.so.1
> Reading symbols from /lib/libpam.so.0...done.
> Loaded symbols for /lib/libpam.so.0
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> #0  0x400bf737 in _IO_getline_info (fp=0x80de3d0, buf=0xbfffe834 "ç\e\017\bà\e\017\b(", n=1023, delim=10, extract_delim=1, eof=0x0)
>     at ../sysdeps/i386/i486/bits/string.h:435
> 435     ../sysdeps/i386/i486/bits/string.h: No such file or directory.
> (gdb) where
> #0  0x400bf737 in _IO_getline_info (fp=0x80de3d0, buf=0xbfffe834 "ç\e\017\bà\e\017\b(", n=1023, delim=10, extract_delim=1, eof=0x0)
>     at ../sysdeps/i386/i486/bits/string.h:435
> #1  0x400bf87d in _IO_getline (fp=0x80de3d0, buf=0xbfffe834 "ç\e\017\bà\e\017\b(", n=1023, delim=10, extract_delim=1) at iogetline.c:39
> #2  0x400be938 in _IO_fgets (buf=0xbfffe834 "ç\e\017\bà\e\017\b(", n=1024, fp=0x80de3d0) at iofgets.c:48
> #3  0x804de09 in _start ()
> #4  0x804e1f9 in _start ()
> #5  0x804efb5 in _start ()
> #6  0x804e4bd in _start ()
> #7  0x804cb84 in _start ()
> (gdb) quit
> 
> strace says:
> 
> [...]
> 3295  write(2, "Waiting for server public key.\r\n", 32) = 32
> 3295  select(5, [4], NULL, NULL, NULL)  = 1 (in [4])
> 3295  read(4, "\0\0\1\v\0\0\0\0\0\2\36\311$\2176<\354\33\0\0\3\0\0\6#"..., 8192) = 276
> 3295  write(2, "debug: ", 7)            = 7
> 3295  write(2, "Received server public key (768 "..., 65) = 65
> 3295  open("/root/.ssh/known_hosts", O_RDONLY) = -1 ENOENT (No such file or directory)
> 3295  open("/usr/local/app/openssh-2.3.0p1/etc/ssh_known_hosts", O_RDONLY) = 5
> 3295  fstat(5, {st_mode=S_IFREG|0644, st_size=786, ...}) = 0
> 3295  old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000
> 3295  read(5, "pluto,pluto.hwk-stuttgart.de,172"..., 4096) = 786
> 3295  read(5, "", 4096)                 = 0
> 3295  close(5)                          = 0
> 3295  munmap(0x4001a000, 4096)          = 0
> 3295  ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
> 3295  write(2, "The authenticity of host \'172.16"..., 187) = 187
> 3295  --- SIGSEGV (Segmentation fault) ---
> 3295  +++ killed by SIGSEGV +++
> 
> $ ldd /usr/local/bin/ssh
>         /lib/libNoVersion.so.1 => /lib/libNoVersion.so.1 (0x40018000)
>         libdl.so.2 => /lib/libdl.so.2 (0x4001e000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x40021000)
>         libz.so.1 => /usr/lib/libz.so.1 (0x40038000)
>         libutil.so.1 => /lib/libutil.so.1 (0x40046000)
>         libpam.so.0 => /lib/libpam.so.0 (0x40049000)
>         libc.so.6 => /lib/libc.so.6 (0x40051000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> 
> 

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org

More information about the openssh-unix-dev mailing list