Fix SSH crash when started with -C argument /usr/sbin/sshd -T -C user=root -C host=nd-e013 -C addr=127.0.0.1 -C lport=22 #21995
Conversation
|
|
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| break; | ||
| case 'C': | ||
| /* Export remote IP address and port for authorization. */ | ||
| - export_remote_info(ssh); |
There was a problem hiding this comment.
@liuh-80 : The call of export_remote_info(ssh) is not right as ssh is assigned after call to ssh_packet_set_connection at line 2169 in file sshd.c .
I want to remove this API call to export_remote_info as it is a NOOP as ssh pointer will always be NULL here
There was a problem hiding this comment.
Please make sure all TACACS related test case does not break.
We need export_remote_info for TACACS per-command authorization.
I think you can keeps those export_remote_info invoke code no change, because the fix in export_remote_info already return when ssh is empty.
There was a problem hiding this comment.
@liuh-80 But if ssh argument to export_remote_info will always be NULL, then the call to export_remote_info is of no use. What is the usecase to keep the call here ?
There was a problem hiding this comment.
For remove export_remote_info at line 89, if the ssh always be NULL, I agree with you, this can be removed.
asha-behera
changed the title
asha-behera
changed the title
|
/azp run Azure.sonic-buildimage |
|
Commenter does not have sufficient privileges for PR 21995 in repo sonic-net/sonic-buildimage |
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| - export_remote_info(ssh); | ||
| + if (export_remote_info(ssh) != 0) | ||
| + { | ||
| + return -1; |
There was a problem hiding this comment.
return here will change sshd behavior, suggest don't change.
| - export_remote_info(ssh); | ||
| + if (export_remote_info(ssh) != 0) | ||
| + { | ||
| + exit(1); |
There was a problem hiding this comment.
Suggest don't exit here, this will change sshd behavior.
|
|
||
| /* Check whether we have cached the ipaddr. */ | ||
| - if (ssh->remote_ipaddr == NULL) { | ||
| + if (ssh != NULL && ssh->remote_ipaddr == NULL) { |
There was a problem hiding this comment.
This part of code belong to sshd, suggest don't change it's behavior.
There was a problem hiding this comment.
@liuh-80 : Do you see any issue with the check ? It is good to have check of ssh NULL before accessing its contents remote_ipaddr.
There was a problem hiding this comment.
This part of code never crashes in official openssh, so I think ssh will never be NULL here, if we make the change, the risk is this patch may break with future version.
I also agree with you that the new code does not have issue. so just a suggestion.
|
I suggest fix the issue in 0003-Export-remote-info-for-authorization.patch: |
| +int | ||
| export_remote_info(struct ssh *ssh) | ||
| { | ||
| + if (ssh == NULL) |
There was a problem hiding this comment.
@liuh-80 If we do not intend to do anything with return status of export_remote_info as it will change sshd behavior ...I will chnage as below : Hope it is ok ?
/* Export remote IP address and port for authorization. */
void
export_remote_info(struct ssh *ssh)
{
if (ssh != NULL)
{
const char *remote_ip = ssh_remote_ipaddr(ssh);
const int remote_port = ssh_remote_port(ssh);
const char remote_addr_port[32 + INET6_ADDRSTRLEN];
snprintf(remote_addr_port, sizeof(remote_addr_port), "%s %d", remote_ip, remote_port);
setenv("SSH_CLIENT_IPADDR_PORT", remote_addr_port, 1);
}
}
There was a problem hiding this comment.
The code is OK, just a suggestion for improve nested code:
void
export_remote_info(struct ssh *ssh)
{
if (ssh == NULL)
{
return;
}
const char *remote_ip = ssh_remote_ipaddr(ssh);
const int remote_port = ssh_remote_port(ssh);
const char remote_addr_port[32 + INET6_ADDRSTRLEN];
snprintf(remote_addr_port, sizeof(remote_addr_port), "%s %d", remote_ip, remote_port);
setenv("SSH_CLIENT_IPADDR_PORT", remote_addr_port, 1);
}
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
…ser=root -C host=nd-e013 -C addr=127.0.0.1 -C lport=22 Signed-off-by: Asha Behera <[email protected]>
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Fixes issue #21997
Why I did it
SSH was crashing due to the patch 0003-Export-remote-info-for-authorization.patch when ssh is started with -C argumnets .
Running debian packaged sshd with '-T -C user=root -C host=nd-e013 -C addr=127.0.0.1 -C lport=22' arguments doesn't cause crash.
ssh NULL pointer was being accessed hence crash occured .
We are calling export_remote_info before ssh is assigned using ssh_alloc_session_state API later in code
Recreation of the crash:
(gdb) file /usr/sbin/sshd
(gdb) run -T -C user=root -C host=nd-e013 -C addr=127.0.0.1 -C lport=22
Starting program: /usr/sbin/sshd -T -C user=root -C host=nd-e013 -C addr=127.0.0.1 -C lport=22
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
ssh_remote_ipaddr (ssh=ssh@entry=0x0) at ../../packet.c:532
Download failed: Invalid argument. Continuing without source file ./debian/build-deb/../../packet.c.
532 ../../packet.c: No such file or directory.
(gdb) bt
#0 ssh_remote_ipaddr (ssh=ssh@entry=0x0) at ../../packet.c:532
#1 0x0000555555572d6e in export_remote_info (ssh=ssh@entry=0x0) at ../../auth.c:1111
#2 0x00005555555620e2 in main (ac=10, av=0x555555633960) at ../../sshd.c:1672...
How I did it
Add NULL check in export_remote_info
How to verify it
Start ssh with arguments and check no crash
admin# /usr/sbin/sshd -T -C user=root -C host=nd-e013 -C addr=127.0.0.1 -C lport=22
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22
usepam yes
logingracetime 120
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 600
....