Hi, I wrote a patch to improve sending struct passwd value.
And I believe one ToDo comment will be finished.
When ssh forks child process for authentication,
parent process proxies pwnamallow() execution in mm_answer_pwnamallow().
Through this proxy, struct passwd values are sent via UNIX domain socket.
That includes pointer values because whole structure memory is copied
by memcpy() .
Fortunately all pointer members are replaced by actual strings
(e.g. pw_name, pw_passwd, ...) for now.
But if a new pointer member is added, it will never be rewritten and can be a
wild pointer. My patch avoids this.
Take a look at my GitHub pull request to see my patch.
https://github.com/openssh/openssh-portable/pull/216
Thank you!
--
Yuichiro NAITO (naito.yuichiro at gmail.com)