https://bugzilla.mindrot.org/show_bug.cgi?id=3401
--- Comment #1 from Darren Tucker <dtuc...@dtucker.net> --- The problematic line is: RekeyLimit -.060000000000000000E.0 Smells like either integer overflow trapped by -ftrapv or divide-by-zero somewhere. It's more easily reproduced with ssh, which takes the same keyword: $ cat poc.conf RekeyLimit -.060000000000000000E.0 $ gdb --args ./ssh -F poc.conf localhost Reading symbols from ./ssh... (gdb) run [...] Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 49 return ret; (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 #1 0x00007ffff7a9c8a4 in __GI_abort () at abort.c:79 #2 0x0000555555602fc4 in __mulvdi3 () #3 0x00005555555fc5ea in scan_scaled ( scaled=scaled@entry=0x555555662ba0 "-.06", '0' <repeats 16 times>, "E.0", result=result@entry=0x7fffffffa930) at ../../../openbsd-compat/fmt_scaled.c:198 #4 0x000055555556de97 in process_config_line_depth ( options=options@entry=0x555555652360 <options>, pw=pw@entry=0x55555565d550, host=host@entry=0x55555565de10 "localhost", original_host=original_host@entry=0x555555661970 "localhost", line=<optimized out>, filename=filename@entry=0x555555656350 "poc.conf", linenum=1, activep=0x7fffffffb424, flags=2, want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:1175 #5 0x000055555556e570 in read_config_file_depth ( filename=0x555555656350 "poc.conf", pw=0x55555565d550, host=0x55555565de10 "localhost", original_host=0x555555661970 "localhost", options=0x555555652360 <options>, flags=2, activep=0x7fffffffb424, want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:2285 #6 0x000055555556e79d in read_config_file (filename=<optimized out>, pw=<optimized out>, host=<optimized out>, original_host=<optimized out>, options=<optimized out>, flags=<optimized out>, want_final_pass=0x7fffffffc504) at ../../readconf.c:2238 --Type <RET> for more, q to quit, c to continue without paging-- #7 0x0000555555564eb7 in process_config_files ( host_name=0x555555661970 "localhost", pw=0x55555565d550, final_pass=0, want_final_pass=0x7fffffffc504) at ../../ssh.c:555 #8 0x00005555555603cc in main (ac=<optimized out>, av=<optimized out>) at ../../ssh.c:1146 (gdb) frame 3 #3 0x00005555555fc5ea in scan_scaled ( scaled=scaled@entry=0x555555662ba0 "-.06", '0' <repeats 16 times>, "E.0", result=result@entry=0x7fffffffa930) at ../../../openbsd-compat/fmt_scaled.c:198 198 fpart *= scale_fact; (gdb) print fpart $1 = -60000000000000000 (gdb) print scale_fact $2 = 1152921504606846976 (gdb) yep, a trapped integer overflow. In the case where it's built w/out -ftrapv you'll you'll get an unexpected and possibly useless value for RekeyLimit, but otherwise I don't think it'll have any effect. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs