| Summary: | potential ssh-keysign segfault if pktype == KEY_UNSPEC | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Colin Watson <cjwatson> |
| Component: | Miscellaneous | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | -current | ||
| Hardware: | All | ||
| OS: | Linux | ||
thanks, fixed in 3.7 Mass change of RESOLVED bugs to CLOSED |
gcc warns: gcc -O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-keysign.c ssh-keysign.c: In function `valid_request': ssh-keysign.c:58: warning: `key' might be used uninitialized in this function Looking at the code, indeed, key is only initialized if pktype != KEY_UNSPEC, but if pktype == KEY_UNSPEC then fail will be non-zero and key_free() in the following code may fire depending on what happens to be on the stack, possibly causing a segfault: if (fail && key != NULL) key_free(key); else *ret = key; I suggest explicitly initializing key to NULL.