Re: lib/50936: security/openssh segfaults on NetBSD-current

[Martin Husemann <martin%duskware.de@localhost>]

The following reply was made to PR lib/50936; it has been noted by GNATS.

From: Martin Husemann <martin%duskware.de@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: lib/50936: security/openssh segfaults on NetBSD-current
Date: Fri, 11 Mar 2016 15:17:33 +0100

 I can reproduce it.
 
 #0  _reallocarr (ptr=ptr@entry=0x7f7fffff7928, number=1, size=40)
     at /usr/src/lib/libc/stdlib/reallocarr.c:63
 #1  0x00007f7ff624543e in reallocarray (optr=0x0, nmemb=<optimized out>, 
     size=size@entry=40) at /usr/src/lib/libc/stdlib/reallocarray.c:46
 #2  0x000000000042d269 in record_hostkey (l=l@entry=0x7f7fffff79f0, 
     _ctx=_ctx@entry=0x7f7fffffbb00) at hostfile.c:255
 #3  0x000000000042df3f in hostkeys_foreach (
     path=path@entry=0x7f7ff7b3a7e0 "/home/martin/.ssh/known_hosts", 
     callback=callback@entry=0x42d1f0 <record_hostkey>, 
     ctx=ctx@entry=0x7f7fffffbb00, host=host@entry=0x7f7ff7b01168 "emmas", 
     ip=ip@entry=0x0, options=options@entry=3) at hostfile.c:846
 #4  0x000000000042e349 in load_hostkeys (
     hostkeys=hostkeys@entry=0x7f7ff7b260e0, host=0x7f7ff7b01168 "emmas", 
     path=0x7f7ff7b3a7e0 "/home/martin/.ssh/known_hosts") at hostfile.c:281
 #5  0x000000000041503b in order_hostkeyalgs (port=<optimized out>, 
     hostaddr=0x6988a0 <hostaddr>, 
     host=0x6973d8 <options+504> "৳\367\177\177") at sshconnect2.c:115
 #6  ssh_kex2 (host=host@entry=0x7f7ff7b01160 "emmas", 
     hostaddr=hostaddr@entry=0x6988a0 <hostaddr>, port=port@entry=22)
     at sshconnect2.c:192
 
 
 and the pointer that comes out of the reallocarr is not valid.
 
 Martin