openssh unix dev - Feb 2002 - openssh-3.0.2p1 BUGs

Hello,

I looked through the latest stable version of openssh
(3.0.2p1) and found a number of items that concerned
me. I'm not terribly familiar with the coding, so
patches are probably better left to someone else.
Anyways, here a list of issues that I think someone
should look at. 

Cheers,
Steve Grubb

--------

File	Line	Description
Channels.c	1195	If nc == NULL, this line segfaults.
Test at 1187 should probably return
	1716	If c == NULL, this line segfaults. Test at 1712
should probably return
	1762	If c == NULL, this line segfaults. Test at 1760
should probably return
	1802	If c == NULL, this line segfaults. Test at 1797
should probably return
	1827	If c == NULL, this line segfaults. Test at 1819
should probably return
	1856	Test is done for NULL at 1854, but c is passed
regardless.
	1869	If c == NULL, this line segfaults. Test at 1866
should probably return
	1892	If c == NULL, this line segfaults. Test at 1887
should probably return
	1938	Test of c == NULL. Continues processing calling
free_channel with c
	1972	If c == NULL, this line segfaults. Test at 1968
should probably return
	2449	Variable socks has not be initted since 2409 !
	2598	Strchr could return a NULL is $DISPLAY does not
have a ?:? in it !
		
Deattack.c	139	Test at 132 for IV == NULL should
probably bypass this area. Will segfault in this line
if IV == NULL.
		
Kexgex.c	304	If dh == NULL, this line segfaults. Test
at 299 should probably return
		
Ssh.c	88	IPv4or6 is an int. Line 136 of channels.c
declares a static int for same variable. ???
		
Clientloop.c	1120	If c == NULL, this line segfaults.
Test at 1116 should probably return 0
	1146	If c == NULL, this line segfaults. Test at 1142
should probably return
	1234	If c == NULL, this line segfaults. Test at 1224
should probably return
		
Sshd.c	106	IPv4or6 is an int. Line 136 of channels.c
declares a static int for same variable. ???
		
Auth2-chall.c	261	Test at 246 check for > 0. If nresp
== 0, response never gets alloc?ed and is still NULL
at line 261.
		
Session.c	1476	There?s several ways that cp could
still be NULL by the time it gets to this line.
Especially if AIX is defined. Better checking of cp is
needed leading up to this line.
	2021	Are all session tty members guaranteed to have a
?/? in their name? If not, this line segfaults because
of the return from strrchr.


__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com

On Sat, Feb 02, 2002 at 09:35:14AM -0800, Steve G wrote:
> Deattack.c	139	Test at 132 for IV == NULL should
> probably bypass this area. Will segfault in this line
> if IV == NULL.
that's strange, since IV is always NULL for openssh.