bugzilla-daemon at bugzilla.mindrot.org
2008-Nov-23 14:42 UTC
[Bug 1539] New: double-free when failing to parse a forwarding specification given using ~C
https://bugzilla.mindrot.org/show_bug.cgi?id=1539 Summary: double-free when failing to parse a forwarding specification given using ~C Product: Portable OpenSSH Version: 5.1p1 Platform: ix86 URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=50533 0 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: cjwatson at debian.org Created an attachment (id=1581) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1581) fix double-free if parsing forwarding specification fails Arthur de Jong reported that ssh can be made to crash with a double-free as follows: % ssh somehost [...] % ~C ssh> -L *.80:localhost:80 Bad forwarding specification. *** glibc detected *** ssh: double free or corruption (fasttop): 0xb95431b0 *** This is because parse_forward frees fwd->connect_host and fwd->listen_host but doesn't set them to NULL, and so process_cmdline tries to free them again. Patch attached. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Dec-07 22:32 UTC
[Bug 1539] double-free when failing to parse a forwarding specification given using ~C
https://bugzilla.mindrot.org/show_bug.cgi?id=1539 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |1481 --- Comment #1 from Damien Miller <djm at mindrot.org> 2008-12-08 09:32:11 --- on the 5.2 list -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Dec-09 03:13 UTC
[Bug 1539] double-free when failing to parse a forwarding specification given using ~C
https://bugzilla.mindrot.org/show_bug.cgi?id=1539 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Damien Miller <djm at mindrot.org> 2008-12-09 14:13:06 --- patch applied, will be in openssh-5.2 - thanks! -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-06 20:59 UTC
[Bug 1539] double-free when failing to parse a forwarding specification given using ~C
https://bugzilla.mindrot.org/show_bug.cgi?id=1539 Ian Gallagher <mindrot-bugzilla at cdine.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mindrot-bugzilla at cdine.org --- Comment #3 from Ian Gallagher <mindrot-bugzilla at cdine.org> 2009-01-07 07:59:27 --- *** Bug 1548 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Feb-23 02:36 UTC
[Bug 1539] double-free when failing to parse a forwarding specification given using ~C
https://bugzilla.mindrot.org/show_bug.cgi?id=1539 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Damien Miller <djm at mindrot.org> 2009-02-23 13:36:39 --- Close bugs fixed/reviewed for openssh-5.2 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- [Bug 1380] New: incorrect check for strlen(fwd->connect_host) in parse_forward()
- [Bug 1379] New: memory leak in process_cmdline()
- ssh(1) multiplexing rewrite
- [PATCH/RFC 0/6] New mux client request to list open tcp forwardings.
- [Bug 1548] New: Double free in OpenSSH clientloop.c/xmalloc.c via cmdline port forwarding