On 9 Jan 2000, Niels Möller wrote:
> > Hey! This seems to be an obscure bug. ;) What the hack correlates
> > verbosity and segfault in the zlib glue code?
>
> My guees is that the difference is whether or not the server sends the
> SSH_MSG_DEBUG message saying "Key exchange successful". This is the
> first message sent that uses compression. Running with --debug will
> tell you exactly which packets are sent and received.
Yes. That's true... I have written the mail before carefully checking the
steps in the backtrace. If the verbose_flag is true an SSH_MSG_DEBUG
message will be sent.
> > Hmmm. In the src directory 'grep inflate *' -> nowhere assigned.
> > 'grep deflate *' -> nowhere assigned as well... Then how should lsh/lshd
> > know what to call in case of (de)compression?
>
> Ooops. Don't understand why this could ever have worked. The pointers
> should be set up properly in make_zlib_instance(). Something like this
> (untested):
>
> diff -u -a -r1.21 zlib.c
Now it doesn't segfault... but:
do_zlib: deflate() or inflate() failed: buffer error
lshd: compress.c:54: do_packet_deflate: Assertion `packet' failed.
This possibly means (from zlib.h):
deflate() returns <snip> Z_BUF_ERROR if no progress is possible (for
example avail_in or avail_out was zero).
Hmmm. Something is still wrong... Let's gdb in do_zlib again:
(gdb) list
153 self->z.next_out = buffer.current;
154 self->z.avail_out = buffer.left;
155
156 rc = self->f(&self->z, Z_SYNC_FLUSH);
157
158 if (rc != Z_OK)
159 {
160 werror("do_zlib: deflate() or inflate() failed: %z\n",
(gdb) print self->z
$5 = {next_in = 0x80edec4 "\004", avail_in = 34, total_in = 0,
next_out = 0x809fc8c "", avail_out = 0, total_out = 0, msg = 0x0,
state = 0x80ac78c, zalloc = 0x8061558 <zlib_alloc>,
zfree = 0x8061570 <zlib_free>, opaque = 0x8049d40, data_type = 2, adler = 1,
reserved = 0}
Ooops, avail_out is really zero. Baaad...
As 'self->z.avail_out = buffer.left;' Let's print buffer:
(gdb) print buffer
$6 = {partial = 0x809fc80, left = 0, current = 0x809fc8c "", tail = 0x0,
total = 0}
Ouch... buffer.left=0;
The problem resides at
string_buffer_init(&buffer,estimate_size(self->rate,packet->length,self->max));
because self->rate==0 and estimate_size does:
static UINT32 estimate_size(UINT32 rate, UINT32 input, UINT32 max)
{
UINT32 guess = rate * input / RATE_UNIT + MARGIN;
return MIN(max, guess);
}
And 0<(any positive number) ;)
BTW self->max is 0 as well... None of them is initialized... But what
values should they have?
> Now I only wonder why my lsh didn't crash... For some reason
> compression must have been disabled.
'grep ZLIB config.h'
Greets,
Keresztg
+ Keresztfalvi Gabor
+ Student of the Technical University of Budapest
+ mailto: [EMAIL PROTECTED] [EMAIL PROTECTED]
+ http://www.sch.bme.hu/~keresztg/
