Problem with openssh on linux 2.0.34 mips

Jim Knoble jmknoble at pobox.com
Thu Jun 27 01:09:50 EST 2002 

Circa 2002-Jun-26 12:36:51 +0200 dixit Erik Tews:
: On Wed, Jun 26, 2002 at 06:58:12PM +1000, Darren Tucker wrote:
: > Erik Tews wrote:
: > > Jun 25 20:25:46 raq2 sshd[16129]: fatal: mm_receive_fd: expected type 1
: > > got 269726544

  [...]

: > With privsep on and compression off I get:
: > mm_receive_fd: expected type 1 got 1074194385

The problem is that the Linux kernel-2.0.x doesn't set the cmsg_type of
the struct cmsghdr in recvmsg().  Check out this snippet from
kernel-2.0.39's net/unix/af_unix.c:

--------
static int unix_recvmsg(struct socket *sock, struct msghdr *msg, int size, int noblock, int flags, int *addr_len)
{
        ...
        if(msg->msg_control)
        {
            cm=unix_copyrights(msg->msg_control,
                    msg->msg_controllen);
            if(cm==NULL || msg->msg_controllen<sizeof(struct cmsghdr)
#if 0
/*          investigate this further -- Stevens example doesn't seem to care */
            ||
               cm->cmsg_type!=SCM_RIGHTS ||
               cm->cmsg_level!=SOL_SOCKET ||
               msg->msg_controllen!=cm->cmsg_len
#endif
            )
--------

Another fun one is this snippet from 2.0.39's include/linux/socket.h:

--------
struct msghdr 
{
        void    *       msg_name;       /* Socket name                  */
        int             msg_namelen;    /* Length of name               */
        struct iovec *  msg_iov;        /* Data blocks                  */
        int             msg_iovlen;     /* Number of blocks             */
        void    *       msg_control;    /* Per protocol magic (eg BSD file descr
iptor passing) */
        int             msg_controllen; /* Length of rights list */
        int             msg_flags;      /* 4.4 BSD item we dont use      */
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
};
--------

Yee-haw.

The attached patch ignores the cmsg_type and causes
UsePrivilegeSeparation to "work" (although you still need to turn off
compression via 'Compression no' in sshd_config).

+---------------------------------------------------------------------+
| ¡¡¡CAUTION!!!  This patch may decrease the security of the          |
| privilege-separated code, since it is now making an unvalidated     |
| assumption about the content of the message it receives over a      |
| socket.  Don't blame me if someone breaks into your machine because |
| you used this patch!  No warranty, etc., etc.                       |
+---------------------------------------------------------------------+

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
--- ./monitor_fdpass.c.orig-linux20	Thu Jun  6 17:40:51 2002
+++ ./monitor_fdpass.c	Tue Jun 25 18:37:57 2002
@@ -112,9 +112,12 @@
 		fatal("%s: no fd", __func__);
 #else
 	cmsg = CMSG_FIRSTHDR(&msg);
+#if 0
+        /* Linux kernel 2.0.x doesn't handle cmsg_type in recvmsg(). */
 	if (cmsg->cmsg_type != SCM_RIGHTS)
 		fatal("%s: expected type %d got %d", __func__,
 		    SCM_RIGHTS, cmsg->cmsg_type);
+#endif /* 0 */
 	fd = (*(int *)CMSG_DATA(cmsg));
 #endif
 	return fd;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/d3a77f5d/attachment.bin

More information about the openssh-unix-dev mailing list