thr3ads.net - openssh bugs - [Bug 1539] New: double-free when failing to parse a forwarding specification given using ~C [Nov 2008]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2008-Nov-23 14:42 UTC

[Bug 1539] New: double-free when failing to parse a forwarding specification given using ~C

https://bugzilla.mindrot.org/show_bug.cgi?id=1539

           Summary: double-free when failing to parse a forwarding
                    specification given using ~C
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: ix86
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=50533
                    0
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: cjwatson at debian.org


Created an attachment (id=1581)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1581)
fix double-free if parsing forwarding specification fails

Arthur de Jong reported that ssh can be made to crash with a
double-free as follows:

% ssh somehost
[...]
% ~C
ssh> -L *.80:localhost:80
Bad forwarding specification.
*** glibc detected *** ssh: double free or corruption (fasttop):
0xb95431b0 ***

This is because parse_forward frees fwd->connect_host and
fwd->listen_host but doesn't set them to NULL, and so process_cmdline
tries to free them again. Patch attached.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2008-Dec-07 22:32 UTC

head link

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

https://bugzilla.mindrot.org/show_bug.cgi?id=1539


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1481




--- Comment #1 from Damien Miller <djm at mindrot.org>  2008-12-08
09:32:11 ---
on the 5.2 list

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2008-Dec-09 03:13 UTC

head link

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

https://bugzilla.mindrot.org/show_bug.cgi?id=1539


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #2 from Damien Miller <djm at mindrot.org>  2008-12-09
14:13:06 ---
patch applied, will be in openssh-5.2 - thanks!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Jan-06 20:59 UTC

head link

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

https://bugzilla.mindrot.org/show_bug.cgi?id=1539


Ian Gallagher <mindrot-bugzilla at cdine.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mindrot-bugzilla at cdine.org




--- Comment #3 from Ian Gallagher <mindrot-bugzilla at cdine.org> 
2009-01-07 07:59:27 ---
*** Bug 1548 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Feb-23 02:36 UTC

head link

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

https://bugzilla.mindrot.org/show_bug.cgi?id=1539


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #4 from Damien Miller <djm at mindrot.org>  2009-02-23
13:36:39 ---
Close bugs fixed/reviewed for openssh-5.2 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

Seemingly Similar Threads

Search for more apparently analagous threads

openssh bugs - Nov 2008 - [Bug 1539] New: double-free when failing to parse a forwarding specification given using ~C

[Bug 1539] New: double-free when failing to parse a forwarding specification given using ~C

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

[Bug 1539] double-free when failing to parse a forwarding specification given using ~C

Seemingly Similar Threads