Bug 1501 - p_read, p_send not intialized
Summary: p_read, p_send not intialized
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 5.0p1
Hardware: Other Other
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-12 01:31 AEST by Tom Hanson
Modified: 2009-02-23 13:36 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Hanson 2008-08-12 01:31:14 AEST 
Source file packet.c declares 2 structures, p_read & p_send, which are used to manage packet traffic.  These structures are not explicitly initialized in either the declaration or in the code.

In an environment (i.e. VxWorks) where spawning a second copy (thread) does not zero-fill memory, this causes the second (and subsequent) copies to use the values left behind by previous copies.  The result is that the sequence number (seqnr field) is out of synch with the server and MAC checksum verification fails.

Recommend setting seqnr, packets, and blocks fields to zero at process/thread start.  Testing with concurrent threads also recommended.
Comment 1 Darren Tucker 2008-08-13 13:06:34 AEST 
Uh, it's a static global.  ISO C specifies that it must already be zeroed.

eg http://www.dkuug.dk/JTC1/SC22/WG14/www/docs/n843.pdf section 6.7.8.10:

"If an object that has static storage duration is not initialized explicitly, then: 
- if it has pointer type, it is initialized to a null pointer; 
- if it has arithmetic type, it is initialized to (positive or unsigned) zero; 
- if it is an aggregate, every member is initialized (recursively) according to these rules;"

OpenSSH is not and has never claimed to be thread safe.
Comment 2 Damien Miller 2009-02-23 13:36:01 AEDT 
Close bugs fixed/reviewed for openssh-5.2 release