Jubin Zhong
2020-Nov-28 02:05 UTC
[PATCH] Fixes null pointer dereference in do_setup_env().
There is a wrong usage of strchr() in openssh. strchr() shall return a
null pointer if the char was not found. Check whether return value is
NULL instead of dereferencing it.
Signed-off-by: Jubin Zhong <zhongjubin at huawei.com>
---
session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/session.c b/session.c
index b25cbca..9e9d5fe 100644
--- a/session.c
+++ b/session.c
@@ -1105,7 +1105,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
for (n = 0 ; n < auth_opts->nenv; n++) {
ocp = xstrdup(auth_opts->env[n]);
cp = strchr(ocp, '=');
- if (*cp == '=') {
+ if (cp != NULL) {
*cp = '\0';
/* Apply PermitUserEnvironment allowlist */
if (options.permit_user_env_allowlist == NULL ||
--
1.8.5.6
Damien Miller
2020-Nov-28 03:30 UTC
[PATCH] Fixes null pointer dereference in do_setup_env().
On Sat, 28 Nov 2020, Jubin Zhong wrote:> There is a wrong usage of strchr() in openssh. strchr() shall return a > null pointer if the char was not found. Check whether return value is > NULL instead of dereferencing it.Applied - thanks. In this case, cp==NULL should not be possible as the auth_opts->env entries are guaranteed to contain '=' by auth-options.c -d