bin/44516: ssh crashes when it receives malformed packet

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/44516: ssh crashes when it receives malformed packet
From: nis%nii.ac.jp@localhost
Date: Sat, 5 Feb 2011 02:40:01 +0000 (UTC)
>Number:         44516
>Category:       bin
>Synopsis:       ssh crashes when it receives malformed packet
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 05 02:40:01 +0000 2011
>Originator:     Shingo NISHIOKA
>Release:        5.1_STABLE
>Organization:
National Institute of Informatics
>Environment:
NetBSD h-1.cs.nii.ac.jp 5.1_STABLE NetBSD 5.1_STABLE (GENERIC) #1: Wed Feb  2 
16:27:05 JST 2011  
nis%h-1.cs.nii.ac.jp@localhost:/usr/obj/sys/arch/amd64/compile/GENERIC amd64

>Description:
ssh crashes when it receives a malformed packet.
In that case, ssh finds out the packet size is too long and reports the problem.
After then, ssh crashes from segmentation fault.
--
$ ssh -vvv shinobu
OpenSSH_5.0 NetBSD_Secure_Shell-20080403, OpenSSL 0.9.9-dev 09 May 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to shinobu [136.187.103.252] port 22.
debug1: Connection established.
debug1: identity file /home/marron/.ssh/identity type -1
debug1: identity file /home/marron/.ssh/id_rsa type -1
debug1: identity file /home/marron/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 
FreeBSD-20100308
debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0 
NetBSD_Secure_Shell-20080403-hpn13v1
debug2: fd 6 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 3737169374.
[1]   Segmentation fault (core dumped) ssh -vvv shinobu
--
>How-To-Repeat:
Not sure. 
In our case, ssh server runs on FreeBSD 8.2-RC2 PV/XEN3_DOMU (i386),
and XEN3_DOM0 is NetBSD 5.1_STABLE (amd64).
--
The following is output of tcpdump captured on DOM0:

tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:25.229949 arp who-has shinobu.cs.nii.ac.jp tell h-1
        0x0000:  ffff ffff ffff 001b 24f0 2c48 0806 0001  ........$.,H....
        0x0010:  0800 0604 0001 001b 24f0 2c48 88bb 67db  ........$.,H..g.
        0x0020:  0000 0000 0000 88bb 67fc 0000 0000 0000  ........g.......
        0x0030:  0000 0000 0000 0000 0000 0000            ............
11:20:25.230002 arp reply shinobu.cs.nii.ac.jp is-at 00:16:3e:00:01:19 (oui 
Unknown)
        0x0000:  001b 24f0 2c48 0016 3e00 0119 0806 0001  ..$.,H..>.......
        0x0010:  0800 0604 0002 0016 3e00 0119 88bb 67fc  ........>.....g.
        0x0020:  001b 24f0 2c48 88bb 67db                 ..$.,H..g.
11:20:25.230230 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 64) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: S, cksum 0x6ab3 (correct), 
185491175:185491175(0) win 32768 <mss 1460,nop,wscale 
3,sackOK,nop,nop,nop,nop,timestamp 1 0>
        0x0000:  0016 3e00 0119 001b 24f0 2c48 0800 4500  ..>.....$.,H..E.
        0x0010:  0040 0000 4000 4006 596a 88bb 67db 88bb  .@..@.@.Yj..g...
        0x0020:  67fc ffef 0016 0b0e 5ee7 0000 0000 b002  g.......^.......
        0x0030:  8000 6ab3 0000 0204 05b4 0103 0303 0402  ..j.............
        0x0040:  0101 0101 080a 0000 0001 0000 0000       ..............
11:20:25.230299 IP (tos 0x0, ttl 64, id 122, offset 0, flags [DF], proto TCP 
(6), length 60) shinobu.cs.nii.ac.jp.ssh > h-1.65519: S, cksum 0x1bcc 
(correct), 4246074977:4246074977(0) ack 185491176 win 65535 <mss 
1460,nop,wscale 3,sackOK,timestamp 2700168307 1>
        0x0000:  001b 24f0 2c48 0016 3e00 0119 0800 4500  ..$.,H..>.....E.
        0x0010:  003c 007a 4000 4006 58f4 88bb 67fc 88bb  .<.z@.@.X...g...
        0x0020:  67db 0016 ffef fd15 f661 0b0e 5ee8 a012  g........a..^...
        0x0030:  ffff 1bcc 0000 0204 05b4 0103 0303 0402  ................
        0x0040:  080a a0f1 4c73 0000 0001                 ....Ls....
11:20:25.230526 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 52) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: ., cksum 0x3a2f (correct), 
1:1(0) ack 1 win 4197 <nop,nop,timestamp 1 2700168307>
        0x0000:  0016 3e00 0119 001b 24f0 2c48 0800 4500  ..>.....$.,H..E.
        0x0010:  0034 0000 4000 4006 5976 88bb 67db 88bb  .4..@.@.Yv..g...
        0x0020:  67fc ffef 0016 0b0e 5ee8 fd15 f662 8010  g.......^....b..
        0x0030:  1065 3a2f 0000 0101 080a 0000 0001 a0f1  .e:/............
        0x0040:  4c73                                     Ls
11:20:25.244288 IP (tos 0x0, ttl 64, id 123, offset 0, flags [DF], proto TCP 
(6), length 92) shinobu.cs.nii.ac.jp.ssh > h-1.65519: P 1:41(40) ack 1 win 8326 
<nop,nop,timestamp 2700168308 1>
        0x0000:  001b 24f0 2c48 0016 3e00 0119 0800 4500  ..$.,H..>.....E.
        0x0010:  005c 007b 4000 4006 58d3 88bb 67fc 88bb  .\.{@.@.X...g...
        0x0020:  67db 0016 ffef fd15 f662 0b0e 5ee8 8018  g........b..^...
        0x0030:  2086 3d83 0000 0101 080a a0f1 4c74 0000  ..=.........Lt..
        0x0040:  0001 5353 482d 322e 302d 4f70 656e 5353  ..SSH-2.0-OpenSS
        0x0050:  485f 352e 3470 3120 4672 6565 4253 442d  H_5.4p1.FreeBSD-
11:20:25.244515 IP (tos 0x0, ttl 64, id 15745, offset 0, flags [DF], proto TCP 
(6), length 109) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: P 1:58(57) ack 41 win 
4197 <nop,nop,timestamp 1 2700168308>
        0x0000:  0016 3e00 0119 001b 24f0 2c48 0800 4500  ..>.....$.,H..E.
        0x0010:  006d 3d81 4000 4006 1bbc 88bb 67db 88bb  .m=.@.@.....g...
        0x0020:  67fc ffef 0016 0b0e 5ee8 fd15 f68a 8018  g.......^.......
        0x0030:  1065 9987 0000 0101 080a 0000 0001 a0f1  .e..............
        0x0040:  4c74 5353 482d 322e 302d 4f70 656e 5353  LtSSH-2.0-OpenSS
        0x0050:  485f 352e 3020 4e65 7442 5344 5f53 6563  H_5.0.NetBSD_Sec
11:20:25.246906 IP (tos 0x0, ttl 64, id 124, offset 0, flags [DF], proto TCP 
(6), length 836) shinobu.cs.nii.ac.jp.ssh > h-1.65519: P 41:825(784) ack 58 win 
8326 <nop,nop,timestamp 2700168309 1>
        0x0000:  001b 24f0 2c48 0016 3e00 0119 0800 4500  ..$.,H..>.....E.
        0x0010:  0344 007c 4000 4006 55ea 88bb 67fc 88bb  .D.|@.@.U...g...
        0x0020:  67db 0016 ffef fd15 f68a 0b0e 5f21 8018  g..........._!..
        0x0030:  2086 bbf7 0000 0101 080a a0f1 4c75 0000  ............Lu..
        0x0040:  0001 dec0 adde dec0 adde dec0 adde dec0  ................
        0x0050:  adde dec0 adde dec0 adde dec0 adde dec0  ................
11:20:25.247139 IP (tos 0x0, ttl 64, id 15750, offset 0, flags [DF], proto TCP 
(6), length 804) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: P 58:810(752) ack 825 
win 4099 <nop,nop,timestamp 1 2700168309>
        0x0000:  0016 3e00 0119 001b 24f0 2c48 0800 4500  ..>.....$.,H..E.
        0x0010:  0324 3d86 4000 4006 1900 88bb 67db 88bb  .$=.@.@.....g...
        0x0020:  67fc ffef 0016 0b0e 5f21 fd15 f99a 8018  g......._!......
        0x0030:  1003 61a0 0000 0101 080a 0000 0001 a0f1  ..a.............
        0x0040:  4c75 0000 02ec 0814 e6cb 9a04 d3f4 c241  Lu.............A
        0x0050:  f103 9e45 d9ed 9593 0000 007e 6469 6666  ...E.......~diff
11:20:25.249480 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 52) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: F, cksum 0x33cb (correct), 
810:810(0) ack 825 win 4197 <nop,nop,timestamp 1 2700168309>
        0x0000:  0016 3e00 0119 001b 24f0 2c48 0800 4500  ..>.....$.,H..E.
        0x0010:  0034 0000 4000 4006 5976 88bb 67db 88bb  .4..@.@.Yv..g...
        0x0020:  67fc ffef 0016 0b0e 6211 fd15 f99a 8011  g.......b.......
        0x0030:  1065 33cb 0000 0101 080a 0000 0001 a0f1  .e3.............
        0x0040:  4c75                                     Lu
11:20:25.249515 IP (tos 0x0, ttl 64, id 125, offset 0, flags [DF], proto TCP 
(6), length 52) shinobu.cs.nii.ac.jp.ssh > h-1.65519: ., cksum 0x23aa 
(correct), 825:825(0) ack 811 win 8326 <nop,nop,timestamp 2700168309 1>
        0x0000:  001b 24f0 2c48 0016 3e00 0119 0800 4500  ..$.,H..>.....E.
        0x0010:  0034 007d 4000 4006 58f9 88bb 67fc 88bb  .4.}@.@.X...g...
        0x0020:  67db 0016 ffef fd15 f99a 0b0e 6212 8010  g...........b...
        0x0030:  2086 23aa 0000 0101 080a a0f1 4c75 0000  ..#.........Lu..
        0x0040:  0001                                     ..
11:20:25.265532 IP (tos 0x0, ttl 64, id 126, offset 0, flags [DF], proto TCP 
(6), length 52) shinobu.cs.nii.ac.jp.ssh > h-1.65519: F, cksum 0x23a7 
(correct), 825:825(0) ack 811 win 8326 <nop,nop,timestamp 2700168311 1>
        0x0000:  001b 24f0 2c48 0016 3e00 0119 0800 4500  ..$.,H..>.....E.
        0x0010:  0034 007e 4000 4006 58f8 88bb 67fc 88bb  .4.~@.@.X...g...
        0x0020:  67db 0016 ffef fd15 f99a 0b0e 6212 8011  g...........b...
        0x0030:  2086 23a7 0000 0101 080a a0f1 4c77 0000  ..#.........Lw..
        0x0040:  0001                                     ..
11:20:25.265603 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 52) h-1.65519 > shinobu.cs.nii.ac.jp.ssh: ., cksum 0x33c8 (correct), 
811:811(0) ack 826 win 4197 <nop,nop,timestamp 1 2700168311>
        0x0000:  0016 3e00 0119 001b 24f0 2c48 0800 4500  ..>.....$.,H..E.
        0x0010:  0034 0000 4000 4006 5976 88bb 67db 88bb  .4..@.@.Yv..g...
        0x0020:  67fc ffef 0016 0b0e 6212 fd15 f99b 8010  g.......b.......
        0x0030:  1065 33c8 0000 0101 080a 0000 0001 a0f1  .e3.............
        0x0040:  4c77                                     Lw

13 packets captured
39 packets received by filter
0 packets dropped by kernel

>Fix:
Prev by Date: Re: kern/44506: ieee80211_match_bss matches all different SSIDs of the identical length
Next by Date: toolchain/44517: crossbuild of netbsd5-i386 on current-amd64 broken
Previous by Thread: PR/44515 CVS commit: src/tests/dev/cgd
Next by Thread: toolchain/44517: crossbuild of netbsd5-i386 on current-amd64 broken
Indexes:
Home | Main Index | Thread Index | Old Index