Bug 458 - sshd crashes with "fatal: mm_malloc: size too big"
Summary: sshd crashes with "fatal: mm_malloc: size too big"
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: All All
: P3 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks: 627
  Show dependency treegraph
 
Reported: 2002-12-19 03:13 AEDT by Ulrich Schweitzer
Modified: 2004-04-14 12:24 AEST (History)
1 user (show)

See Also:

Attachments
Set SIZE_T_MAX to UINT_MAX if we we define size_t ourselves. (1.30 KB, patch)
2003-09-05 14:30 AEST, Darren Tucker 		no flags Details | Diff
Set SIZE_T_MAX to UINT_MAX if we we define size_t ourselves. (480 bytes, patch)
2003-09-05 14:41 AEST, Darren Tucker 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Schweitzer 2002-12-19 03:13:14 AEDT 
When I build openssh-3.5p1 on a 32bit worksation running irix 6.5.18 sshd will
crash with the error message "fatal: mm_malloc: size too big" on each login
attempt. When I build it on a 64bit orign200 with the same OS version it works fine.
The problem seems to be the constant ULONG_MAX which is assigned to SIZE_T_MAX
in defines.h. I played around with the code and it seems like ULONG_MAX
evaluates to -1 even though it is defined as 4294967295U (by the way: what does
the U mean?) in /usr/include/limits.h.
I worked around this problem by replacing
#define SIZE_T_MAX ULONG_MAX
with
#define SIZE_T_MAX 4294967295
in defines.h before running make.
Comment 1 Ulrich Schweitzer 2002-12-19 03:16:30 AEDT 
Sorry, typo: The irix version is 6.5.17 not 6.5.18
Comment 2 Guido Roeskewns 2002-12-31 08:57:36 AEDT 
Same Problem on Solaris 8        Build 32-Bit, gcc 2.95-3              It seems that line 170 in monitor_mm.c is the problem:               if (size > SIZE_T_MAX - MM_MINSIZE + 1)                      fatal("mm_malloc: size too big");            size seems to be a different type (uint32)      in defines.h:     ---    #ifndef SIZE_T_MAX   #define SIZE_T_MAX ULONG_MAX   #endif /* SIZE_T_MAX */      #ifndef HAVE_SIZE_T    typedef unsigned int size_t;    # define HAVE_SIZE_T    #endif /* HAVE_SIZE_T */    ---      the line   #define SIZE_T_MAX ULONG_MAX  should be changed, I tried  # define SIZE_T_MAX ((2 << (8 * sizeof(size_t)) - 1)  but got an error (also out of bounds :-(      The definition of SIZE_T_MAX has to be changed to be in the range      of the type of size            From the build log:       ---        gcc -O3 -pipe -mcpu=ultrasparc -m32 -I. -I. -I/usr/local/include        -I/usr/local/i       nclude -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"       -D_PATH_       SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh/ssh-askpass\"       -D_PATH_SFTP_SERVER=\"/us       r/local/lib/ssh/sftp-server\"       -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh/ssh-keys       ign\" -D_PATH_SSH_PIDDIR=\"/var/run\"       -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"       -DSSH_RAND_HELPER=\"/usr/local/lib/ssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c       monitor_mm.c       monitor_mm.c: In function `mm_malloc':       monitor_mm.c:170: warning: integer overflow in expression       monitor_mm.c:170: warning: comparison is always true due to limited range of       data type       ---        -- Guido
Comment 3 Darren Tucker 2003-09-05 14:23:57 AEST 
I had to reformat Guido's post to read it:

"Same Problem on Solaris 8
Build 32-Bit, gcc 2.95-3

It seems that line 170 in monitor_mm.c is the problem:
	if (size > SIZE_T_MAX - MM_MINSIZE + 1)
		fatal("mm_malloc: size too big");

size seems to be a different type (uint32)

in defines.h:
#ifndef SIZE_T_MAX
# define SIZE_T_MAX ULONG_MAX
#endif /* SIZE_T_MAX */
#ifndef HAVE_SIZE_T
	typedef unsigned int size_t;
# define HAVE_SIZE_T
#endif /* HAVE_SIZE_T */

the line
#define SIZE_T_MAX ULONG_MAX  should be changed,
I tried
# define SIZE_T_MAX ((2 << (8 * sizeof(size_t)) - 1)
but got an error (also out of bounds :-(

The definition of SIZE_T_MAX has to be changed to be in the range of the type of
size

From the build log:
gcc -O3 -pipe -mcpu=ultrasparc -m32 -I. -I. -I/usr/local/include
-I/usr/local/include -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_      
SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/us
      r/local/lib/ssh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh/ssh-keysign\"
-D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DSSH_RAND_HELPER=\"/usr/local/lib/ssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c
monitor_mm.c
monitor_mm.c: In function `mm_malloc': monitor_mm.c:170:
warning: integer overflow in expression monitor_mm.c:170: warning: comparison
is always true due to limited range of data type"
Comment 4 Darren Tucker 2003-09-05 14:30:31 AEST 
Created attachment 380 [details]
Set SIZE_T_MAX to UINT_MAX  if we we define size_t ourselves.

defines.h is obviously wrong for the case where neither SIZE_T_MAX or size_t
are defined; size_t ends up as unsigned int, while SIZE_T_MAX ends up as ULONG
max.

That works if sizeof(unsigned int) == sizeof(unsigned long).

Any objections to this patch?
Comment 5 Darren Tucker 2003-09-05 14:38:07 AEST 
BTW, the "U" means the constant should be evaluated as an unsigned.
Comment 6 Darren Tucker 2003-09-05 14:41:14 AEST 
Created attachment 381 [details]
Set SIZE_T_MAX to UINT_MAX if we we define size_t ourselves.

Sorry, mixed patch.
Comment 7 Darren Tucker 2003-12-18 17:03:13 AEDT 
Patch #381 was just committed, so I think this is now fixed.  Please re-open if not.
Comment 8 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED