Bug 3229

Summary:

ssh -o "ConnectTimeout=2147484" => Aborted (core dumped)

Product:

Portable OpenSSH

Reporter:

Paride Legovini <paride>

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

dtucker

Priority:

Version:

8.3p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

3217

Attachments:

Description	Flags
coredump	none

Description Paride Legovini 2020-11-12 23:42:57 AEDT

Created attachment 3453 [details]
coredump

Running

  ssh -o "ConnectTimeout=2147484" localhost

or with any timeout >=2147484 causes an immediate crash with coredump of ssh:

  $ ssh -o "ConnectTimeout=2147484" localhost
  Aborted (core dumped)

This is with OpenSSH_8.3p1. Core dump attached.

First reported in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1903516

Comment 1 Darren Tucker 2020-11-13 00:27:07 AEDT

Looks like it's an integer overflow caught by -ftrapv:

$ gdb --args ./ssh -o "ConnectTimeout=2147484" localhost
[...]
(gdb) run
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	  return ret;
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7a9a895 in __GI_abort () at abort.c:79
#2  0x000055555555e70e in __mulvsi3.cold ()
#3  0x0000555555562e83 in main (ac=0, av=0x5555556492e0) at ../../ssh.c:1526
(gdb) frame 3
#3  0x0000555555562e83 in main (ac=0, av=0x5555556492e0) at ../../ssh.c:1526
1526		timeout_ms = options.connection_timeout * 1000;

timeout_ms is an int.

Comment 2 Darren Tucker 2020-11-13 10:00:03 AEDT

Fixed in http://anongit.mindrot.org/openssh.git/commit/?id=819b44e8b9af6ce18d3ec7505b9f461bf7991a1f

Thanks for the report.

Comment 3 Damien Miller 2021-04-23 14:57:35 AEST

closing resolved bugs as of 8.6p1 release