OpenSSH 3.2.2p1 sshd: fatal: xfree: NULL pointer given as argument

Phil Howard phil-openssh-unix-dev at ipal.net
Sat May 18 22:53:50 EST 2002 

Server host config:
Slackware 8.0 (custom boot scripts)
glibc-2.2.3
gcc-2.95.3
Linux-2.4.18


Client host config:
(same as server)


Symptom:
session disconnects with no message to client:
=============================================================================
phil at antares:/home/phil 153> ssh -V
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
phil at antares:/home/phil 154> ssh -p 10 root at polaris.ipal.net
Connection closed by 209.102.208.19
phil at antares:/home/phil 155>
=============================================================================
phil at polaris:/home/phil 1> ssh -V
OpenSSH_3.2.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
phil at polaris:/home/phil 2> ssh -p 10 root at polaris.ipal.net
Connection closed by 209.102.208.19
phil at polaris:/home/phil 3>
=============================================================================


Message in syslog on server:
fatal: xfree: NULL pointer given as argument


Additional test:
Telnet to SSH port (test port 10, not 22) shows normal banner and
after pressing return gives "Protocol mismatch." as normally seen
when using telnet to sshd (e.g. the above error must be later in
the protocol sequence than raw telnet would engage).


Debug output (-ddd -e):
=============================================================================
debug3: cipher ok: aes256-cbc [aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc]
debug3: cipher ok: aes192-cbc [aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc]
debug3: cipher ok: aes128-cbc [aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc]
debug3: cipher ok: blowfish-cbc [aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc]
debug3: cipher ok: 3des-cbc [aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc]
debug3: ciphers ok: [aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc]
debug1: sshd version OpenSSH_3.2.2p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: Bind to port 10 on 0.0.0.0.
Server listening on 0.0.0.0 port 10.
debug1: Server will not fork when running in debugging mode.
Connection from 209.102.208.19 port 32846
debug1: Client protocol version 2.0; client software version OpenSSH_3.2.2p1
debug1: match: OpenSSH_3.2.2p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.2.2p1
debug1: list_hostkey_types: ssh-dss,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 zlib
debug2: mac_init: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 194/384
debug1: bits set: 1047/2049
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1031/2049
xfree: NULL pointer given as argument
debug1: Calling cleanup 0x806b00c(0x0)
=============================================================================


Server config file:
(Note, this is for port 10 used for testing, not port 22)
=============================================================================
Port 10
ListenAddress 0.0.0.0
Banner /etc/ssh/sshd_banner_10
AllowGroups root wheel ssh10 staff sys adm admin
Ciphers aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
ClientAliveInterval 0
ClientAliveCountMax 3
DenyGroups nossh nossh10
DenyUsers nobody
DSAAuthentication yes
GatewayPorts yes
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KeepAlive no
LoginGraceTime 600
LogLevel INFO
MaxStartups 32:50:64
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
PidFile /var/run/sshd_10.pid
PrintLastLog yes
PrintMotd yes
Protocol 2
PubkeyAuthentication yes
StrictModes yes
SyslogFacility AUTH
UseLogin no
VerifyReverseMapping no
X11DisplayOffset 10
X11Forwarding yes
X11UseLocalhost yes
=============================================================================


-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
-----------------------------------------------------------------

More information about the openssh-unix-dev mailing list