openssh bugs - Dec 2011 - [Bug 1956] New: sftp segfaults in parse_args() when argv[0] is NULL

https://bugzilla.mindrot.org/show_bug.cgi?id=1956

             Bug #: 1956
           Summary: sftp segfaults in parse_args() when argv[0] is NULL
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sftp
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: imorgan at nas.nasa.gov


If sftp is built without libedit support, a segfault can occur in
parse_args() when argv[0] equals NULL. This can be triggered by
entering
^L (followed by <enter>) on a blank line.

Connected to alex.
sftp> ^L
Segmentation fault (core dumped)

The backtrace from gdb shows:

#0  0x0000003af267c100 in strcasecmp () from /lib64/libc.so.6
#1  0x0000000000404dd2 in parse_args (conn=0x13fbc0c0, cmd=<value
optimized out>, pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1145
#2  parse_dispatch_command (conn=0x13fbc0c0, cmd=<value optimized out>,
pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1300
#3  0x0000000000406327 in interactive_loop (conn=0x13fbc0c0,
file1=<value optimized out>, 
    file2=<value optimized out>) at sftp.c:1990
#4  0x0000000000406913 in main (argc=<value optimized out>,
argv=0x13fbc030) at sftp.c:2273
(gdb) 

The problem appears to be that argv[0] is NULL, and there is no check
for this prior to the strcasecmp() call.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1956

--- Comment #1 from Loganaden Velvindron <loganaden at gmail.com>
2011-12-11 07:46:51 EST ---
Created attachment 2117
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2117
return -1 when argv[0] is NULL instead of continuing further

when argv[0] is set to NULL, return -1.

This fixes the segfault. I'm still looking
into what causes its value to be set to NULL.

Thanks to Eldergod Selven who allowed me to play
with his iMac ;-)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1956

Loganaden Velvindron <loganaden at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |loganaden at gmail.com

--- Comment #2 from Loganaden Velvindron <loganaden at gmail.com>
2011-12-15 20:07:30 EST ---
I can reproduce it with a small number of control character.
e.g
^L, ^K, ^P.

If I mix them with alphabetic characters, it
also segfaults.

e.g A^L, B^K.

In all the cases, argv[0] is NULL.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1956

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1986

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.