| Summary: | Undefined behaviour of *printf in DISPLAY handling code | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Jakub Jelen <jjelen> |
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | enhancement | CC: | djm |
| Priority: | P5 | ||
| Version: | -current | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| Bug Depends on: | |||
| Bug Blocks: | 2451 | ||
Already fixed in commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a Author: millert@openbsd.org <millert@openbsd.org> Date: Mon Feb 1 21:18:17 2016 +0000 upstream commit Avoid ugly "DISPLAY "(null)" invalid; disabling X11 forwarding" message when DISPLAY is not set. This could also result in a crash on systems with a printf that doesn't handle NULL. OK djm@ Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412 Close all resolved bugs after 7.3p1 release |
Upstream commit [1] changed logic of handling errors of DISPLAY variable and introduced undefined behaviour. When client requests X11 forwarding and does not have DISPLAY variable set, getenv returns NULL (ssh.c:1707), the program gets into client_x11_get_proto() function, where the variable is passed directly to logit function as it is (clientloop.c:321). This case is handled by current GCC and therefore not causing segfault but writing DISPLAY "(null)" invalid; disabling X11 forwarding It is not correct and should be fixed. Preferably by not going into this branch in ssh.c:1710, because there is already one check for NULL in previous condition. Originally reported as rhbz#1303260 [2]. [1] https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c [2] https://bugzilla.redhat.com/show_bug.cgi?id=1303260