NetBSD Problem Report #44516
From www@NetBSD.org Sat Feb 5 02:35:58 2011
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 98AE363B93A
for <gnats-bugs@gnats.NetBSD.org>; Sat, 5 Feb 2011 02:35:58 +0000 (UTC)
Message-Id: <20110205023557.0DC9763B842@www.NetBSD.org>
Date: Sat, 5 Feb 2011 02:35:57 +0000 (UTC)
From: nis@nii.ac.jp
Reply-To: nis@nii.ac.jp
To: gnats-bugs@NetBSD.org
Subject: ssh crashes when it receives malformed packet
X-Send-Pr-Version: www-1.0
>Number: 44516
>Category: bin
>Synopsis: ssh crashes when it receives malformed packet
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Feb 05 02:40:01 +0000 2011
>Originator: Shingo NISHIOKA
>Release: 5.1_STABLE
>Organization:
National Institute of Informatics
>Environment:
NetBSD h-1.cs.nii.ac.jp 5.1_STABLE NetBSD 5.1_STABLE (GENERIC) #1: Wed Feb 2 16:27:05 JST 2011 nis@h-1.cs.nii.ac.jp:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
ssh crashes when it receives a malformed packet.
In that case, ssh finds out the packet size is too long and reports the problem.
After then, ssh crashes from segmentation fault.
--
$ ssh -vvv shinobu
OpenSSH_5.0 NetBSD_Secure_Shell-20080403, OpenSSL 0.9.9-dev 09 May 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to shinobu [136.187.103.252] port 22.
debug1: Connection established.
debug1: identity file /home/marron/.ssh/identity type -1
debug1: identity file /home/marron/.ssh/id_rsa type -1
debug1: identity file /home/marron/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1
debug2: fd 6 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 3737169374.
[1] Segmentation fault (core dumped) ssh -vvv shinobu
--
>How-To-Repeat:
Not sure.
In our case, ssh server runs on FreeBSD 8.2-RC2 PV/XEN3_DOMU (i386),
and XEN3_DOM0 is NetBSD 5.1_STABLE (amd64).
--
The following is output of tcpdump captured on DOM0:
tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:25.229949 arp who-has shinobu.cs.nii.ac.jp tell h-1
0x0000: ffff ffff ffff 001b 24f0 2c48 0806 0001 ........$.,H....
0x0010: 0800 0604 0001 001b 24f0 2c48 88bb 67db ........$.,H..g.
0x0020: 0000 0000 0000 88bb 67fc 0000 0000 0000 ........g.......
0x0030: 0000 0000 0000 0000 0000 0000 ............
11:20:25.230002 arp reply shinobu.cs.nii.ac.jp is-at 00:16:3e:00:01:19 (oui Unknown)
0x0000: 001b 24f0 2c48 0016 3e00 0119 0806 0001 ..$.,H..>.......
0x0010: 0800 0604 0002 0016 3e00 0119 88bb 67fc ........>.....g.
0x0020: 001b 24f0 2c48 88bb 67db ..$.,H..g.
11:20:25.230230 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: S, cksum 0x6ab3 (correct), 185491175:185491175(0) win 32768 <mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,timestamp 1 0>
0x0000: 0016 3e00 0119 001b 24f0 2c48 0800 4500 ..>.....$.,H..E.
0x0010: 0040 0000 4000 4006 596a 88bb 67db 88bb .@..@.@.Yj..g...
0x0020: 67fc ffef 0016 0b0e 5ee7 0000 0000 b002 g.......^.......
0x0030: 8000 6ab3 0000 0204 05b4 0103 0303 0402 ..j.............
0x0040: 0101 0101 080a 0000 0001 0000 0000 ..............
11:20:25.230299 IP (tos 0x0, ttl 64, id 122, offset 0, flags [DF], proto TCP (6), length 60) shinobu.cs.nii.ac.jp.ssh > h-1.65519: S, cksum 0x1bcc (correct), 4246074977:4246074977(0) ack 185491176 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 2700168307 1>
0x0000: 001b 24f0 2c48 0016 3e00 0119 0800 4500 ..$.,H..>.....E.
0x0010: 003c 007a 4000 4006 58f4 88bb 67fc 88bb .<.z@.@.X...g...
0x0020: 67db 0016 ffef fd15 f661 0b0e 5ee8 a012 g........a..^...
0x0030: ffff 1bcc 0000 0204 05b4 0103 0303 0402 ................
0x0040: 080a a0f1 4c73 0000 0001 ....Ls....
11:20:25.230526 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: ., cksum 0x3a2f (correct), 1:1(0) ack 1 win 4197 <nop,nop,timestamp 1 2700168307>
0x0000: 0016 3e00 0119 001b 24f0 2c48 0800 4500 ..>.....$.,H..E.
0x0010: 0034 0000 4000 4006 5976 88bb 67db 88bb .4..@.@.Yv..g...
0x0020: 67fc ffef 0016 0b0e 5ee8 fd15 f662 8010 g.......^....b..
0x0030: 1065 3a2f 0000 0101 080a 0000 0001 a0f1 .e:/............
0x0040: 4c73 Ls
11:20:25.244288 IP (tos 0x0, ttl 64, id 123, offset 0, flags [DF], proto TCP (6), length 92) shinobu.cs.nii.ac.jp.ssh > h-1.65519: P 1:41(40) ack 1 win 8326 <nop,nop,timestamp 2700168308 1>
0x0000: 001b 24f0 2c48 0016 3e00 0119 0800 4500 ..$.,H..>.....E.
0x0010: 005c 007b 4000 4006 58d3 88bb 67fc 88bb .\.{@.@.X...g...
0x0020: 67db 0016 ffef fd15 f662 0b0e 5ee8 8018 g........b..^...
0x0030: 2086 3d83 0000 0101 080a a0f1 4c74 0000 ..=.........Lt..
0x0040: 0001 5353 482d 322e 302d 4f70 656e 5353 ..SSH-2.0-OpenSS
0x0050: 485f 352e 3470 3120 4672 6565 4253 442d H_5.4p1.FreeBSD-
11:20:25.244515 IP (tos 0x0, ttl 64, id 15745, offset 0, flags [DF], proto TCP (6), length 109) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: P 1:58(57) ack 41 win 4197 <nop,nop,timestamp 1 2700168308>
0x0000: 0016 3e00 0119 001b 24f0 2c48 0800 4500 ..>.....$.,H..E.
0x0010: 006d 3d81 4000 4006 1bbc 88bb 67db 88bb .m=.@.@.....g...
0x0020: 67fc ffef 0016 0b0e 5ee8 fd15 f68a 8018 g.......^.......
0x0030: 1065 9987 0000 0101 080a 0000 0001 a0f1 .e..............
0x0040: 4c74 5353 482d 322e 302d 4f70 656e 5353 LtSSH-2.0-OpenSS
0x0050: 485f 352e 3020 4e65 7442 5344 5f53 6563 H_5.0.NetBSD_Sec
11:20:25.246906 IP (tos 0x0, ttl 64, id 124, offset 0, flags [DF], proto TCP (6), length 836) shinobu.cs.nii.ac.jp.ssh > h-1.65519: P 41:825(784) ack 58 win 8326 <nop,nop,timestamp 2700168309 1>
0x0000: 001b 24f0 2c48 0016 3e00 0119 0800 4500 ..$.,H..>.....E.
0x0010: 0344 007c 4000 4006 55ea 88bb 67fc 88bb .D.|@.@.U...g...
0x0020: 67db 0016 ffef fd15 f68a 0b0e 5f21 8018 g..........._!..
0x0030: 2086 bbf7 0000 0101 080a a0f1 4c75 0000 ............Lu..
0x0040: 0001 dec0 adde dec0 adde dec0 adde dec0 ................
0x0050: adde dec0 adde dec0 adde dec0 adde dec0 ................
11:20:25.247139 IP (tos 0x0, ttl 64, id 15750, offset 0, flags [DF], proto TCP (6), length 804) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: P 58:810(752) ack 825 win 4099 <nop,nop,timestamp 1 2700168309>
0x0000: 0016 3e00 0119 001b 24f0 2c48 0800 4500 ..>.....$.,H..E.
0x0010: 0324 3d86 4000 4006 1900 88bb 67db 88bb .$=.@.@.....g...
0x0020: 67fc ffef 0016 0b0e 5f21 fd15 f99a 8018 g......._!......
0x0030: 1003 61a0 0000 0101 080a 0000 0001 a0f1 ..a.............
0x0040: 4c75 0000 02ec 0814 e6cb 9a04 d3f4 c241 Lu.............A
0x0050: f103 9e45 d9ed 9593 0000 007e 6469 6666 ...E.......~diff
11:20:25.249480 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: F, cksum 0x33cb (correct), 810:810(0) ack 825 win 4197 <nop,nop,timestamp 1 2700168309>
0x0000: 0016 3e00 0119 001b 24f0 2c48 0800 4500 ..>.....$.,H..E.
0x0010: 0034 0000 4000 4006 5976 88bb 67db 88bb .4..@.@.Yv..g...
0x0020: 67fc ffef 0016 0b0e 6211 fd15 f99a 8011 g.......b.......
0x0030: 1065 33cb 0000 0101 080a 0000 0001 a0f1 .e3.............
0x0040: 4c75 Lu
11:20:25.249515 IP (tos 0x0, ttl 64, id 125, offset 0, flags [DF], proto TCP (6), length 52) shinobu.cs.nii.ac.jp.ssh > h-1.65519: ., cksum 0x23aa (correct), 825:825(0) ack 811 win 8326 <nop,nop,timestamp 2700168309 1>
0x0000: 001b 24f0 2c48 0016 3e00 0119 0800 4500 ..$.,H..>.....E.
0x0010: 0034 007d 4000 4006 58f9 88bb 67fc 88bb .4.}@.@.X...g...
0x0020: 67db 0016 ffef fd15 f99a 0b0e 6212 8010 g...........b...
0x0030: 2086 23aa 0000 0101 080a a0f1 4c75 0000 ..#.........Lu..
0x0040: 0001 ..
11:20:25.265532 IP (tos 0x0, ttl 64, id 126, offset 0, flags [DF], proto TCP (6), length 52) shinobu.cs.nii.ac.jp.ssh > h-1.65519: F, cksum 0x23a7 (correct), 825:825(0) ack 811 win 8326 <nop,nop,timestamp 2700168311 1>
0x0000: 001b 24f0 2c48 0016 3e00 0119 0800 4500 ..$.,H..>.....E.
0x0010: 0034 007e 4000 4006 58f8 88bb 67fc 88bb .4.~@.@.X...g...
0x0020: 67db 0016 ffef fd15 f99a 0b0e 6212 8011 g...........b...
0x0030: 2086 23a7 0000 0101 080a a0f1 4c77 0000 ..#.........Lw..
0x0040: 0001 ..
11:20:25.265603 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: ., cksum 0x33c8 (correct), 811:811(0) ack 826 win 4197 <nop,nop,timestamp 1 2700168311>
0x0000: 0016 3e00 0119 001b 24f0 2c48 0800 4500 ..>.....$.,H..E.
0x0010: 0034 0000 4000 4006 5976 88bb 67db 88bb .4..@.@.Yv..g...
0x0020: 67fc ffef 0016 0b0e 6212 fd15 f99b 8010 g.......b.......
0x0030: 1065 33c8 0000 0101 080a 0000 0001 a0f1 .e3.............
0x0040: 4c77 Lw
13 packets captured
39 packets received by filter
0 packets dropped by kernel
>Fix:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home