The routine clear_forwardings() can call xfree() with a nil pointer if you have a .ssh/config similar to this: Host mindrot.org LocalForward 12345 localhost:54321 This seems to happen with ssh when scp invokes it to connect to the remote host, for example: % scp mindrot.org:.cshrc /dev/null xfree: NULL pointer given as argument gdb shows this happens on this line in readconf.c: xfree(options->local_forwards[i].listen_host); It's possible (perhaps likely) there are other similar problems in this routine.
Created attachment 848 [details] minimal patch
You are correct, it is a bug. It can be provoked by using ClearAllForwardings=yes (not just with scp).
Created attachment 849 [details] check forward listen_host for null I've been through the code and there appears to be one other instance of this bug (immediately after the one you found) which is also fixed in this patch. Basically, listen_host is new (it's to support the options to bind() port forwards to specified addresses, and it's optional. When it's not provided for a particular forward, it's NULL. When it's NULL and ClearAllForwardings is set, ssh dies screaming. As a workaround, prepending ":" to the forward spec should prevent it from happening even without the patch.
Created attachment 850 [details] regress test for clearallforwardings bug Matching regress test.
This has now been fixed in OpenBSD, the fix will appear in -Portable next time the changes are synced. Thanks for the report.
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.