Regression in 6.5p1 when using -W option

Corinna Vinschen vinschen at redhat.com
Thu Feb 20 19:47:31 EST 2014


Hi,

we got a report on the Cygwin mailing list showing that there's a
spurious error message when using the -W option.  This didn't occur with
OpenSSH 6.4p1.  Here's an example:

  $ ssh machine1 -W machine2:22
  getsockname failed: Bad file descriptor
  SSH-2.0-OpenSSH_6.1

The error message is a result of getsockname being called with a
file descriptor -1.  The call stack at the time looks like this:

Breakpoint 2, get_socket_address (sock=-1, remote=remote at entry=0,
    flags=flags at entry=2) at /usr/src/debug/openssh-6.5p1-1/canohost.c:256
256                     if (getsockname(sock, (struct sockaddr *)&addr, &addrlen)
(gdb) bt
#0  get_socket_address (sock=-1, remote=remote at entry=0, flags=flags at entry=2)
    at /usr/src/debug/openssh-6.5p1-1/canohost.c:256
#1  0x0000000100432213 in get_local_ipaddr (sock=<optimized out>)
    at /usr/src/debug/openssh-6.5p1-1/canohost.c:292
#2  0x0000000100418db5 in port_open_helper (c=c at entry=0x600074700,
    rtype=rtype at entry=0x10045fe0d <log_facilities+301> "direct-tcpip")
    at /usr/src/debug/openssh-6.5p1-1/channels.c:1388
#3  0x000000010041dc07 in channel_connect_stdio_fwd (
    host_to_connect=0x600039800 "machine2", port_to_connect=22, in=in at entry=4,
    out=5) at /usr/src/debug/openssh-6.5p1-1/channels.c:1269
#4  0x0000000100401566 in ssh_init_stdio_forwarding ()
    at /usr/src/debug/openssh-6.5p1-1/ssh.c:1260
#5  0x0000000100454171 in ssh_session2 ()
    at /usr/src/debug/openssh-6.5p1-1/ssh.c:1606
#6  main (ac=<optimized out>, av=<optimized out>)
    at /usr/src/debug/openssh-6.5p1-1/ssh.c:1130

This is not Cygwin specific.  To be really sure I tested this on Linux
and the message shows up, too, while it doesn't with 6.4p1.  The problem
is still present in current portable CVS.

The reason is that port_open_helper calls get_local_ipaddr on c->socl
unconditionally in port_open_helper without checking the value of
c->sock first.

I didn't generate a patch because I'm not really sure what's the best
way to fix this issue.  Hope that helps nevertheless.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140220/732b080e/attachment-0001.bin>


More information about the openssh-unix-dev mailing list