openssh bugs - Mar 2005 - [Bug 996] Fatal error in xfree() when scp invokes ssh with a LocalForward config

http://bugzilla.mindrot.org/show_bug.cgi?id=996

           Summary: Fatal error in xfree() when scp invokes ssh with a
                    LocalForward config
           Product: Portable OpenSSH
           Version: 4.0p1
          Platform: All
        OS/Version: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: mindrot at ee.lbl.gov


The routine clear_forwardings() can call xfree() with a nil pointer if you have
a .ssh/config similar to this:

    Host mindrot.org
        LocalForward 12345 localhost:54321

This seems to happen with ssh when scp invokes it to connect to the remote host,
for example:

    % scp mindrot.org:.cshrc /dev/null
    xfree: NULL pointer given as argument

gdb shows this happens on this line in readconf.c:

    xfree(options->local_forwards[i].listen_host);

It's possible (perhaps likely) there are other similar problems in this
routine.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=996





------- Additional Comments From mindrot at ee.lbl.gov  2005-03-10 12:58 -------
Created an attachment (id=848)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=848&action=view)
minimal patch




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=996


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
         OS/Version|FreeBSD                     |All




------- Additional Comments From dtucker at zip.com.au  2005-03-10 14:26 -------
You are correct, it is a bug.  It can be provoked by using
ClearAllForwardings=yes (not just with scp).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=996


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #848 is|0                           |1
           obsolete|                            |




------- Additional Comments From dtucker at zip.com.au  2005-03-10 16:53 -------
Created an attachment (id=849)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=849&action=view)
check forward listen_host for null

I've been through the code and there appears to be one other instance of
this
bug (immediately after the one you found) which is also fixed in this patch.

Basically, listen_host is new (it's to support the options to bind() port
forwards to specified addresses, and it's optional.  When it's not
provided for
a particular forward, it's NULL.  When it's NULL and ClearAllForwardings
is
set, ssh dies screaming.

As a workaround, prepending ":" to the forward spec should prevent it
from
happening even without the patch.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=996





------- Additional Comments From dtucker at zip.com.au  2005-03-10 16:54 -------
Created an attachment (id=850)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=850&action=view)
regress test for clearallforwardings bug

Matching regress test.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=996


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |994
              nThis|                            |
           Keywords|                            |openbsd, patch






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=996


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From dtucker at zip.com.au  2005-03-10 22:42 -------
This has now been fixed in OpenBSD, the fix will appear in -Portable next time
the changes are synced.  Thanks for the report.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.