openssh bugs - Jul 2010 - [Bug 1795] New: An integer variable "num" in mm_answer_pam_query() is not initialized before used

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

           Summary: An integer variable "num" in mm_answer_pam_query()
is
                    not initialized before used
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: bitman.zhou at centrify.com


An integer variable "num" in mm_answer_pam_query() is not
initialized before used if pam module has errors. This happens on HP-UX
where the gcc compiler doesn't do default initialization.

------ code ------

int
mm_answer_pam_query(int sock, Buffer *m)
{
        char *name, *info, **prompts;
        u_int i, num, *echo_on;   <== num is not initialized and could
be a random large number
        int ret;

        debug3("%s", __func__);
        sshpam_authok = NULL;
        ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num,
&prompts, &echo_on);   <== num may not be altered in this call
        if (ret == 0 && num == 0)
                sshpam_authok = sshpam_ctxt;
        if (num > 1 || name == NULL || info == NULL)
                ret = -1;
        buffer_clear(m);
        buffer_put_int(m, ret);
        buffer_put_cstring(m, name);
        xfree(name);
        buffer_put_cstring(m, info);
        xfree(info);
        buffer_put_int(m, num);
        for (i = 0; i < num; ++i) { 
                buffer_put_cstring(m, prompts[i]);  <== fail here!
                xfree(prompts[i]);
                buffer_put_int(m, echo_on[i]);
        }


------- sshd debug log -----------

debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
buffer_put_cstring: s == NULL
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

Tomas Mraz <t8m at centrum.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |t8m at centrum.cz

--- Comment #1 from Tomas Mraz <t8m at centrum.cz>  ---
I suppose the buffer_put_cstring that fails is a different one. Most
probably some in the sshpam_thread_conv() function. And that some
module in the PAM stack passes incorrect values to the PAM conversation
function.

in the sshpam_query the only situation where num would be left
uninitialized is when neither of PAM_AUTH_ERR, PAM_ACCT_EXPIRED and
PAM_SUCCESS messages is received and this should not happen due to the
way sshpam_thread() function is written.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1708

--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  ---
Could you please run this test program on your system?  It'll give us
some idea of what PAM is doing under the covers.

http://www.zipworld.com.au/~dtucker/patches/pam-test-harness.c

# ./pam-test-harness -u [youruser] -s sshd

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  ---
Created attachment 1908
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1908
openssh-init-pam-vars.patch

Initialize to sane values.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from Darren Tucker <dtucker at zip.com.au>  ---
Thanks for the report, the attached patch has been applied and will be
in the 5.6p1 release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  ---
With the release of OpenSSH 5.6p1 this bug is now considered closed. 
If you have further problems please reopen or file a new bug as
appropriate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.