Bug 996

Summary: Fatal error in xfree() when scp invokes ssh with a LocalForward config
Product: Portable OpenSSH Reporter: Craig Leres <mindrot10>
Component: sshAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: normal Keywords: openbsd, patch
Priority: P2    
Version: 4.0p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 994    
Attachments:
Description Flags
minimal patch
none
check forward listen_host for null
none
regress test for clearallforwardings bug none

Description Craig Leres 2005-03-10 12:54:51 AEDT 
The routine clear_forwardings() can call xfree() with a nil pointer if you have
a .ssh/config similar to this:

    Host mindrot.org
        LocalForward 12345 localhost:54321

This seems to happen with ssh when scp invokes it to connect to the remote host,
for example:

    % scp mindrot.org:.cshrc /dev/null
    xfree: NULL pointer given as argument

gdb shows this happens on this line in readconf.c:

    xfree(options->local_forwards[i].listen_host);

It's possible (perhaps likely) there are other similar problems in this routine.
Comment 1 Craig Leres 2005-03-10 12:58:52 AEDT 
Created attachment 848 [details]
minimal patch
Comment 2 Darren Tucker 2005-03-10 14:26:57 AEDT 
You are correct, it is a bug.  It can be provoked by using
ClearAllForwardings=yes (not just with scp).
Comment 3 Darren Tucker 2005-03-10 16:53:17 AEDT 
Created attachment 849 [details]
check forward listen_host for null

I've been through the code and there appears to be one other instance of this
bug (immediately after the one you found) which is also fixed in this patch.

Basically, listen_host is new (it's to support the options to bind() port
forwards to specified addresses, and it's optional.  When it's not provided for
a particular forward, it's NULL.  When it's NULL and ClearAllForwardings is
set, ssh dies screaming.

As a workaround, prepending ":" to the forward spec should prevent it from
happening even without the patch.
Comment 4 Darren Tucker 2005-03-10 16:54:19 AEDT 
Created attachment 850 [details]
regress test for clearallforwardings bug

Matching regress test.
Comment 5 Darren Tucker 2005-03-10 22:42:22 AEDT 
This has now been fixed in OpenBSD, the fix will appear in -Portable next time
the changes are synced.  Thanks for the report.
Comment 6 Darren Tucker 2006-10-07 11:39:07 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.