sshd passes a NULL pointer to xfree(), preventing ssh clients from connecting to
the server. The problem occurs on multiple servers and clients:


orion:/etc/rc.d# ./rc.sshd start
debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 65.56.115.228 port 1622
debug1: Client protocol version 2.0; client software version OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1543/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1596/3191
xfree: NULL pointer given as argument
debug1: Calling cleanup 0x806662c(0x0)


The following lines were written to /var/log/syslog when the client attempted to
connect during the debug session (refer to transcript above):

Mar  8 15:39:02 orion sshd[16231]: fatal: xfree: NULL pointer given as argument
Mar  8 15:51:09 orion sshd[16264]: fatal: Cannot bind any address.