thr3ads.net - openssh unix dev - [Bug 526] potential ssh-keysign segfault if pktype == KEY

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at mindrot.org

2003-Mar-31 21:50 UTC

[Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC

http://bugzilla.mindrot.org/show_bug.cgi?id=526

           Summary: potential ssh-keysign segfault if pktype == KEY_UNSPEC
           Product: Portable OpenSSH
           Version: 3.6p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: cjwatson at debian.org


gcc warns:

gcc -O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
-DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64
-DHAVE_MMAP_ANON_SHARED -I.
-I.  -DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/ssh-keysign\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/ssh-rand-helper\" -DHAVE_CONFIG_H -c
ssh-keysign.c
ssh-keysign.c: In function `valid_request':
ssh-keysign.c:58: warning: `key' might be used uninitialized in this
function

Looking at the code, indeed, key is only initialized if pktype != KEY_UNSPEC,
but if pktype == KEY_UNSPEC then fail will be non-zero and key_free() in the
following code may fire depending on what happens to be on the stack, possibly
causing a segfault:

        if (fail && key != NULL)
                key_free(key);
        else
                *ret = key;

I suggest explicitly initializing key to NULL.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at mindrot.org

2003-Apr-02 14:26 UTC

head link

[Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC

http://bugzilla.mindrot.org/show_bug.cgi?id=526

markus at openbsd.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From markus at openbsd.org  2003-04-03 00:26 -------
thanks, fixed in 3.7



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Possibly Parallel Threads

Search for more seemingly similar threads

openssh unix dev - Mar 2003 - [Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC

[Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC

[Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC

Possibly Parallel Threads