https://bugzilla.mindrot.org/show_bug.cgi?id=3906
--- Comment #2 from Darren Tucker <[email protected]> --- Adding some debugging we can see it gets as far as subsystem_command: debug1: M_CP_STRARRAYSTROPT subsystem_name debug1: M_CP_STRARRAYSTROPT subsystem_command It's a two-part macro where the first part is in servconf.h: M_CP_STRARRAYOPT(subsystem_name, num_subsystems); \ M_CP_STRARRAYOPT(subsystem_command, num_subsystems); \ M_CP_STRARRAYOPT(subsystem_args, num_subsystems); \ and the second part is: #define M_CP_STRARRAYOPT(s, num_s) do {\ u_int i; \ debug("M_CP_STRARRAYSTROPT %s", #s); \ if (src->num_s != 0) { \ for (i = 0; i < dst->num_s; i++) \ free(dst->s[i]); \ free(dst->s); \ dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \ for (i = 0; i < src->num_s; i++) \ dst->s[i] = xstrdup(src->s[i]); \ dst->num_s = src->num_s; \ } \ } while(0) Program received signal SIGSEGV, Segmentation fault. 0x0000555555568e8a in copy_set_server_options (dst=0x55555566c060 <options>, src=0x7fffffffd490, preauth=0) at ../../servconf.c:3016 3016 COPY_MATCH_STRING_OPTS(); (gdb) print src->num_subsystems $2 = 1 (gdb) print src->subsystem_name[0] $2 = 0x5555556c5df0 "sftp" (gdb) print src->subsystem_command[0] $3 = 0x5555556c5e10 "internal-sftp" (gdb) print dst->num_subsystems $4 = 1 (gdb) print dst->subsystem_command[0] Cannot access memory at address 0x0 I think what's happening is that M_CP_STRARRAYOPT first copies subsystem_name and sets dst->num_subsystems, then when it goes to process subsystem_command it thinks there is already one entry in dst->subsystem_command[] that needs to be freed, which there isn't. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
