526 – potential ssh-keysign segfault if pktype == KEY_UNSPEC

Bug 526 - potential ssh-keysign segfault if pktype == KEY_UNSPEC

Summary: potential ssh-keysign segfault if pktype == KEY_UNSPEC

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	-current
Hardware:	All Linux

Importance:	P2 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-04-01 07:50 AEST by Colin Watson
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Colin Watson 2003-04-01 07:50:13 AEST

gcc warns:

gcc -O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
-DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED -I.
-I.  -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-keysign.c
ssh-keysign.c: In function `valid_request':
ssh-keysign.c:58: warning: `key' might be used uninitialized in this function

Looking at the code, indeed, key is only initialized if pktype != KEY_UNSPEC,
but if pktype == KEY_UNSPEC then fail will be non-zero and key_free() in the
following code may fire depending on what happens to be on the stack, possibly
causing a segfault:

        if (fail && key != NULL)
                key_free(key);
        else
                *ret = key;

I suggest explicitly initializing key to NULL.

Comment 1 Markus Friedl 2003-04-03 00:26:22 AEST

thanks, fixed in 3.7

Comment 2 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED