openssh bugs - Feb 2016 - [Bug 2535] New: Undefined behaviour of *printf in DISPLAY handling code

https://bugzilla.mindrot.org/show_bug.cgi?id=2535

            Bug ID: 2535
           Summary: Undefined behaviour of *printf in DISPLAY handling
                    code
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Upstream commit [1] changed logic of handling errors of DISPLAY
variable and introduced undefined behaviour.

When client requests X11 forwarding and does not have DISPLAY variable
set, getenv returns NULL (ssh.c:1707), the program gets into
client_x11_get_proto() function, where the variable is passed directly
to logit function as it is (clientloop.c:321).

This case is handled by current GCC and therefore not causing segfault
but writing

    DISPLAY "(null)" invalid; disabling X11 forwarding

It is not correct and should be fixed. Preferably by not going into
this branch in ssh.c:1710, because there is already one check for NULL
in previous condition.

Originally reported as rhbz#1303260 [2].


[1]
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1303260

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2535

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |2451
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Already fixed in 

commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
Author: millert at openbsd.org <millert at openbsd.org>
Date:   Mon Feb 1 21:18:17 2016 +0000

    upstream commit

    Avoid ugly "DISPLAY "(null)" invalid; disabling X11
     forwarding" message when DISPLAY is not set.  This could also
result in a
     crash on systems with a printf that doesn't handle NULL.  OK djm@

    Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2535

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.