Bug 2753

Summary: Access violation of a array in sftp
Product: Portable OpenSSH Reporter: bingbing8 <yawang>
Component: sftpAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: normal CC: djm
Priority: P5    
Version: 7.5p1   
Hardware: amd64   
OS: All   

Description bingbing8 2017-08-05 07:26:54 AEST
We found this issue when enable application verifier on windows. but we believe this repros on other OS too.
when the command is: sftp myaccount@127.0.0.1. optind+1 is 2, which is not outside the valid index of argv.

2521			file2 = argv[optind+1];


Suggested fixes:
		if(argc > optind + 1)
2521			file2 = argv[optind+1];
Comment 1 Damien Miller 2017-08-11 13:58:30 AEST
I think the application verifier is incorrect here.

In this case, optind == argc-1, so file2 will be set to argv[argc]. argv[argc] is defined to be NULL by section 5.1.2.2.1 of the C standard:

"argv[argc] shall be a null pointer."

http://iso-9899.info/n1570.html#5.1.2.2.1p2
Comment 2 Damien Miller 2018-04-06 12:26:50 AEST
Close all resolved bugs after release of OpenSSH 7.7.