| Summary: | Potential segfault from ssh_remote_ipaddr() | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Jakub Jelen <jjelen> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | enhancement | CC: | djm | ||||
| Priority: | P5 | ||||||
| Version: | 7.5p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 2852 | ||||||
| Attachments: |
|
||||||
|
Description
Jakub Jelen
2017-09-04 21:00:29 AEST
None of the packet layer functions work after the connection has been freed. I think the main problem here is that sshd is calling audit_event(SSH_CONNECTION_ABANDON) and you seem to have patched audit-linux.c to try to handle that case. You should handle it separately, e.g. calling it early or skipping the ssh_remote_ipaddr() call. Yes, it is a patched audit code, but I don't see a reason why the packet layer could not return the cached values even after the connection is cleaned up (this was one of the use cases why this data is cached in the first place). If it is a design decision, that it should not work, the code should certainly not dereference NULL pointers before checking it and should not segfault instead of gracefully failing (or falling back to UNKNOWN) in this case, even though you are sure it can not be called from your code without valid state. We probably need the IP address for auditing reasons and I don't see a simple way to call that earlier. similar fix applied; this will be in the 7.8 release closing resolved bugs as of 8.6p1 release |