| Summary: | ssh fails with xmalloc: zero size | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Tomas Mraz <t8m> | ||||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||
| Status: | CLOSED FIXED | ||||||||
| Severity: | normal | CC: | cjwatson, djm, josh, vapier | ||||||
| Priority: | P2 | Keywords: | patch | ||||||
| Version: | 5.1p1 | ||||||||
| Hardware: | Other | ||||||||
| OS: | Linux | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 1481 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1554 [details]
Correct patch
Actually according to the strnvis man page the dest must be null terminated in case the len is 0 or all the characters are expanded to 4 times length.
I can confirm this problem. I observed it when attempting to connect to the management module of an IBM BladeCenter via SSH. It did not occur with previous versions of SSH. Shouldn't you pass len * 4 + 1 as the third argument to strnvis too? openbsd-compat/vis.c says: * Strnvis will write no more than siz-1 bytes (and will NULL terminate). Hmm, yes. The current patch means that in case that all characters are expanded, the last character of the expanded string will be truncated. this has been fixed in openbsd now: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshconnect2.c.diff?r1=1.166;r2=1.168 Yes, this will be in openssh-5.2 Close bugs fixed/reviewed for openssh-5.2 release |
Created attachment 1553 [details] Patch which fixes the zero length banner problem. ssh fails with xmalloc: zero size when connecting to a server with present but empty banner. Also the processing of the received banner through strnvis() is unfortunate in the regard that it mangles banners with international characters. The processing should be done according to the current locale and allow the international characters to be printed unmangled.