Bug 1377

Summary: getpwuid called twice without pwcopy (percent_expand: NULL replacement)
Product: Portable OpenSSH Reporter: Toby Butzon <toby>
Component: sshAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal CC: dtucker
Priority: P2 Keywords: patch
Version: -current   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 1353    
Attachments:
Description Flags
patch for ssh.c
none
free passwd struct after dup none

Description Toby Butzon 2007-10-20 14:16:55 AEST 
Created attachment 1364 [details]
patch for ssh.c

The symptom is:

$ ssh foo
percent_expand: NULL replacement

Just need to pwcopy the last getpwuid result; percent_expand calls getpwuid, too, so not doing so destroys the old pwcopy data.
Comment 1 Toby Butzon 2007-10-20 14:19:51 AEST 
(In reply to comment #0)

> Just need to pwcopy the last getpwuid result; percent_expand calls
> getpwuid, too, so not doing so destroys the old pwcopy data.

Woops, it's not percent_expand, it's tilde_expand_filename.
Comment 2 Damien Miller 2007-11-03 11:37:55 AEDT 
Created attachment 1379 [details]
free passwd struct after dup

That patch will leak the passwd struct, so I think it needs a symmetric pwfree() like this.
Comment 3 Darren Tucker 2007-12-28 03:09:38 AEDT 
This has been fixed by saving only pw_name and pw_dir (ssh.c revs 1.306 and 1.307), which will be in the 4.8 release.

Thanks for the report.
Comment 4 Damien Miller 2008-03-31 15:22:02 AEDT 
Fix shipped in 4.9/4.9p1 release.