fix session id2 datetype missmatch

[s911415]

PR Summary

Fix session_id2_len data type mismatch when passing as a pointer.

PR Context

The data type of session_id2_len is u_int. In monitor.c, it passed as a pointer to the function sshbuf_get_string and write 0 to the pointer. When running on x64 system, it cause other values override and cause 0xc0000005 error.
This PR make the data type consistently.

It seems that the issue is not exists in the original openssh repo.

---

openssh-portable/sshbuf-getput-basic.c

Lines 200 to 209 in 41e1711

	sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp)
	{
	const u_char *val;
	size_t len;
	int r;
	if (valp != NULL)
	*valp = NULL;
	if (lenp != NULL)
	*lenp = 0;

openssh-portable/monitor.c

Line 1773 in 41e1711

if ((r = sshbuf_get_string(m, &session_id2, &session_id2_len)) != 0)

[maertendMSFT]

@s911415 can you share your repro steps?

[s911415]

@maertendMSFT
The following is my repro steps, and the artifact attached:

1. Build the commit 41e17111941aa8ec97c42abe8f1006c38dd95e43, with Release mode, x64.
2. Launch the sshd server with sshd -vvv (in local user mode)
3. Connect to sshd server via any ssh client
   The following is the client side log:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh\\localhost.key ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: .ssh\\localhost.key ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx explicit
debug3: sign_and_send_pubkey: using [email protected] with ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to 127.0.0.1 ([127.0.0.1]:8890) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: filesystem
debug3: client_repledge: enter
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug3: This windows OS supports conpty
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug3: Successfully set console output code page from:65001 to 65001
debug3: Successfully set console input code page from:65001 to 65001
debug3: recv - from CB ERROR:10054, io:000002199D618CB0
debug3: send packet: type 1
debug3: send - WSASend() ERROR:10054, io:000002199D618CB0
client_loop: send disconnect: Connection reset
debug3: Successfully set console output code page from 65001 to 65001
debug3: Successfully set console input code page from 65001 to 65001

And the following is server side log:

Accepted publickey for xxxx from 127.0.0.1 port 14136 ssh2: ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug1: monitor_child_preauth: user s911415 authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect: entering, type 26
debug3: mm_request_receive: entering
debug3: mm_get_keystate: GOT new keys
debug1: auth_activate_options: setting new authentication options [preauth]
debug2: userauth_pubkey: authenticated 1 pkalg ssh-ed25519 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 41.000ms, delaying 7.127ms (requested 6.016ms) [preauth]
debug3: send packet: type 52 [preauth]
debug3: mm_request_send: entering, type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug3: ReadFileEx() ERROR:109, io:0000023180714BF0
debug3: read - no more data, io:0000023180714BF0
debug1: monitor_read_log: child log fd closed
debug3: get_user_token - i am running as xxxx, returning process token
debug1: Not running as SYSTEM: skipping loading user profile
debug3: spawning "xxxxx\\openssh-portable\\bin\\x64\\Release\\sshd.exe" -ddd -z as user
User child is on pid 12928
debug3: send_rexec_state: entering fd = 8 config len 2063
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: monitor_recv_keystate: entering
debug3: ssh_msg_recv entering
debug3: monitor_recv_keystate: done
debug3: monitor_apply_keystate: packet_set_state
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: ssh_packet_set_postauth: called
debug3: ssh_packet_set_state: done
debug3: monitor_recv_authopt: entering
debug3: ssh_msg_recv entering
debug3: monitor_recv_authopt: done
debug3: notify_hostkeys: key 0: ssh-rsa SHA256:xxxxxxxxxx
debug3: notify_hostkeys: key 1: ecdsa-sha2-nistp256 SHA256:xxxxxxxxxx
debug3: notify_hostkeys: key 2: ssh-ed25519 SHA256:xxxxxxxxxx
debug3: notify_hostkeys: sent 3 hostkeys
debug3: send packet: type 80
debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: mm_request_receive: entering

xxxxx\openssh-portable\bin\x64\Release\sshd.exe (process 20880) exited with code 255.

Note: the 2nd child process crashed (pid: 12928).

4. Checked the dmp file, noticed it crashed when invoking auth_debug_send.
5. Attached debugger and find the data type mismatch cause the data modify unexpected.
   because (sizeof (u_int)) = 4, but (sizeof (size_t [ unsigned __int64])) = 8

see the link for the detail about size of data type :
https://learn.microsoft.com/en-us/cpp/cpp/data-type-ranges

sshd.zip

[tgauth]

2. Launch the sshd server with sshd -vvv (in local user mode)

Is this actually sshd -ddd - like running the ssh server in debug mode? In debug mode, only public key authentication is permitted - see https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps for more information.

debug3: Successfully set console output code page from:65001 to 65001
debug3: Successfully set console input code page from:65001 to 65001

I see this error as well when password-based authentication is used and sshd is running in debug mode.

[s911415]

@tgauth oh sorry I use -ddd
I use public key and user is authenticated.

After I changed the data type of session_id2_len to size_t to ensure the write to pointer will not overwrites to other memory space . Then I can login normally.

Actually, there is no error log on server side. Only memory dump file generated (due to 0xc0000005) for child process.

[tgauth]

Ah ok, I see. Just curious - does this also repro when sshd is running as a service?

I understand that monitor_send_keystate is not upstream but I still think a bug for this should also be opened upstream at https://bugzilla.mindrot.org/describecomponents.cgi?product=Portable%20OpenSSH, due to usage in mm_answer_sign for example - https://github.com/openssh/openssh-portable/blob/master/monitor.c#L662