Bug 1956

Summary:

sftp segfaults in parse_args() when argv[0] is NULL

Product:

Portable OpenSSH

Reporter:

Iain Morgan <imorgan>

Component:

sftp

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, loganaden

Priority:

Version:

-current

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

2035

Attachments:

Description	Flags
return -1 when argv[0] is NULL instead of continuing further	none
Check for argv[0] == NULL before strcasecmp()	none

Description Iain Morgan 2011-12-08 06:03:28 AEDT

If sftp is built without libedit support, a segfault can occur in
parse_args() when argv[0] equals NULL. This can be triggered by entering
^L (followed by <enter>) on a blank line.

Connected to alex.
sftp> ^L
Segmentation fault (core dumped)

The backtrace from gdb shows:

#0  0x0000003af267c100 in strcasecmp () from /lib64/libc.so.6
#1  0x0000000000404dd2 in parse_args (conn=0x13fbc0c0, cmd=<value
optimized out>, pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1145
#2  parse_dispatch_command (conn=0x13fbc0c0, cmd=<value optimized out>,
pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1300
#3  0x0000000000406327 in interactive_loop (conn=0x13fbc0c0,
file1=<value optimized out>, 
    file2=<value optimized out>) at sftp.c:1990
#4  0x0000000000406913 in main (argc=<value optimized out>,
argv=0x13fbc030) at sftp.c:2273
(gdb) 

The problem appears to be that argv[0] is NULL, and there is no check
for this prior to the strcasecmp() call.

Comment 1 Loganaden Velvindron 2011-12-11 07:46:51 AEDT

Created attachment 2117 [details]
return -1 when argv[0] is NULL instead of continuing further

when argv[0] is set to NULL, return -1.

This fixes the segfault. I'm still looking
into what causes its value to be set to NULL.

Thanks to Eldergod Selven who allowed me to play
with his iMac ;-)

Comment 2 Loganaden Velvindron 2011-12-15 20:07:30 AEDT

I can reproduce it with a small number of control character.
e.g
^L, ^K, ^P.

If I mix them with alphabetic characters, it
also segfaults.

e.g A^L, B^K.

In all the cases, argv[0] is NULL.

Comment 3 Damien Miller 2012-09-07 11:37:49 AEST

Retarget uncompleted bugs from 6.1 => 6.2

Comment 4 Damien Miller 2012-09-07 11:40:17 AEST

Retarget bugs from 6.1 => 6.2

Comment 5 Iain Morgan 2013-01-17 07:29:32 AEDT

Created attachment 2209 [details]
Check for argv[0] == NULL before strcasecmp()

I finally got some time to look at this in more detail. :-)

Checking whether argv[0] == NULL just before the strcasecmp() statement has the advantage that the user will receive an "Invalid command" response. That would seem to be more consistent.

Comment 6 Damien Miller 2013-02-08 11:41:30 AEDT

Patch applied. This will be in openssh-6.2, thanks!

Comment 7 Damien Miller 2013-03-22 12:02:00 AEDT

mark bugs closed by openssh-6.2 release as CLOSED