Re: lib/50936: security/openssh segfaults on NetBSD-current

[Martin Husemann <martin%duskware.de@localhost>]

The following reply was made to PR lib/50936; it has been noted by GNATS.

From: Martin Husemann <martin%duskware.de@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: lib/50936: security/openssh segfaults on NetBSD-current
Date: Fri, 11 Mar 2016 15:27:59 +0100

 The pointer returned indirectly is ok:
 
 > #0  _reallocarr (ptr=ptr@entry=0x7f7fffff7928, number=1, size=40)
 >     at /usr/src/lib/libc/stdlib/reallocarr.c:63
 > #1  0x00007f7ff624543e in reallocarray (optr=0x0, nmemb=<optimized out>, 
 >     size=size@entry=40) at /usr/src/lib/libc/stdlib/reallocarray.c:46
 
 untill here, I get for example: $15 = (void *) 0x7f7ff7b32080
 but then back in record_hostkey:
 
 > #2  0x000000000042d269 in record_hostkey (l=l@entry=0x7f7fffff79f0, 
 >     _ctx=_ctx@entry=0x7f7fffffbb00) at hostfile.c:255
 
 it is assigned to "tmp" and that is sign extended from 32bit to 64:
 
 (gdb) p tmp
 $20 = (struct hostkey_entry *) 0xfffffffff7b32080
 
 and then of course it dies.
 
 Martin