Bug 1281

Summary: getrrsetbyname() does not check the presence of SIG records
Product: Portable OpenSSH Reporter: Simon Vallet <svallet>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: 4.4p1   
Hardware: Alpha   
OS: Other   
Bug Depends on:    
Bug Blocks: 1274    
Attachments:
Description Flags
Patch against 4.4p1 dtucker: ok+

Description Simon Vallet 2007-02-10 00:54:26 AEDT 
In getrrsetbyname(), the value of rrset->rri_nsigs is not checked before calling calloc() to initialize rrset->rri_sigs -- this is a problem when rri_nsigs is 0, since calloc() returns a null pointer on some OSes when asked to allocate 0 bytes.

Quoting POSIX regarding calloc():
"If the size of the space requested is 0, the behavior is
implementation-defined: the value returned shall be either a null
pointer or a unique pointer."

Tru64 5.1A, for example, does return NULL in this case -- see http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=117098800530793

A minimal patch against 4.4p1 is attached
Comment 1 Simon Vallet 2007-02-10 00:58:08 AEDT 
Created attachment 1236 [details]
Patch against 4.4p1

This patch checks that there are indeed SIG records before allocating space for them -- see bug report for mor details
Comment 2 Darren Tucker 2007-02-10 11:35:44 AEDT 
Comment on attachment 1236 [details]
Patch against 4.4p1

Looks reasonable to me.
Comment 3 Darren Tucker 2007-02-19 22:57:31 AEDT 
Applied thanks, and nice work figuring it out.
Comment 4 Damien Miller 2008-04-04 09:58:15 AEDT 
Close resolved bugs after release.