Bug#1096000: sshd fatal assert: Unexpected error 9 on netlink descriptor 3

[David Eoll <deoll@microsoft.com>]

I found a place where all FDs from 3 and up are closed with a closefrom() call, and this is done twice. This would seem to provide the opportunity for getaddrinfo() to open a socket on FD 3, which is then closed again before getaddrinfo is done with it. Here are the two closefrom()s:

session.c: 1607    (the closefrom(3) occurs inside the child_close_fds() function):   

/*

         * Close the connection descriptors; note that this is the child, and

         * the server will still have the socket open, and it is important

         * that we do not shutdown it.  Note that the descriptors cannot be

         * closed before building the environment, as we call

         * ssh_remote_ipaddr there.

         */

        child_close_fds(ssh);

Then closefrom(3) is called a second time in the same do_child() function at session.c: 1663:

        closefrom(STDERR_FILENO + 1);

I believe this exposes gettaddrinfo() running in a different thread to the condition described in BZ #12926:
12926 – getaddrinfo()/make_request() may spin forever

I also see that both of these closefrom calls have been in place for many years. Is there a reason this FD cleanup is being done twice?

 

David Eoll
Microsoft Corp.