Created attachment 2424 [details]
possible fix.

sshd crashes with the core dump when used in high scale environment.
The program crashes inside the function "cleanup_exit" at line 

if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1)

It is always assumed here that pmonitor is always not NULL.
However pmonitor can be null, in the execution sequence below:


#0  0x0804e214 in cleanup_exit (i=255) at ../../../../../../src/crypto/openssh/sshd.c:2415
#1  0x080ae7bf in fatal (fmt=0x80b8ea6 "%s: socketpair: %s") at ../../../../../../src/crypto/openssh/fatal.c:42
#2  0x08065779 in monitor_openfds (mon=0x80eb5c0, do_logfds=1) at ../../../../../../src/crypto/openssh/monitor.c:1877
#3  0x080658ee in monitor_init () at ../../../../../../src/crypto/openssh/monitor.c:1903
#4  0x080507fd in privsep_preauth (authctxt=0x0) at ../../../../../../src/crypto/openssh/sshd.c:669
#5  0x08051f72 in main (ac=903248, av=0xc811cc00) at ../../../../../../src/crypto/openssh/sshd.c:2014


Here the pmonitor is NULL inside "privsep_preauth", which calls "monitor_init". "monitor_init" allocates memory for mon and calls "monitor_openfds"

However inside "monitor_openfds" the call to socketpair fails. (in our case with errno = 23 /* Too many open files in system */).

This calls "fatal" which in-turn calls "cleanup_exit".

Since pmonitor is not initialized until now, it crashes.