Bug 1539

Summary: double-free when failing to parse a forwarding specification given using ~C
Product: Portable OpenSSH Reporter: Colin Watson <cjwatson>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm, mindrot-bugzilla
Priority: P2    
Version: 5.1p1   
Hardware: ix86   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505330
Bug Depends on:    
Bug Blocks: 1481    
Attachments:
Description Flags
fix double-free if parsing forwarding specification fails none

Description Colin Watson 2008-11-24 01:42:42 AEDT 
Created attachment 1581 [details]
fix double-free if parsing forwarding specification fails

Arthur de Jong reported that ssh can be made to crash with a double-free as follows:

% ssh somehost
[...]
% ~C
ssh> -L *.80:localhost:80
Bad forwarding specification.
*** glibc detected *** ssh: double free or corruption (fasttop): 0xb95431b0 ***

This is because parse_forward frees fwd->connect_host and fwd->listen_host but doesn't set them to NULL, and so process_cmdline tries to free them again. Patch attached.
Comment 1 Damien Miller 2008-12-08 09:32:11 AEDT 
on the 5.2 list
Comment 2 Damien Miller 2008-12-09 14:13:06 AEDT 
patch applied, will be in openssh-5.2 - thanks!
Comment 3 Ian Gallagher 2009-01-07 07:59:27 AEDT 
*** Bug 1548 has been marked as a duplicate of this bug. ***
Comment 4 Damien Miller 2009-02-23 13:36:39 AEDT 
Close bugs fixed/reviewed for openssh-5.2 release