| Summary: | getcwd being called with invalid argument in servconf.c | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Dan Mitton <dan.mitton> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | critical | CC: | dtucker |
| Priority: | P2 | ||
| Version: | 5.4p1 | ||
| Hardware: | SPARC | ||
| OS: | Solaris | ||
| Bug Depends on: | |||
| Bug Blocks: | 1743 | ||
Thanks for the report. This has been fixed and will be in the 5.5p1 release. You can confirm by testing a recent snapshot (http://www.mindrot.org/openssh_snap/). Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1 |
In servconf.c, the code segment... char * derelativise_path(const char *path) { char *expanded, *ret, *cwd; expanded = tilde_expand_filename(path, getuid()); if (*expanded == '/') return expanded; if ((cwd = getcwd(NULL, 0)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); xfree(cwd); xfree(expanded); return ret; } is calling getcwd(NULL, 0). In the man pages from Solaris, is says... ERRORS The getcwd() function will fail if: EINVAL The size argument is equal to 0. I suspect that this should be PATH_MAX, rather then 0. This routine, and hence the error, does not exist in 5.3p1.