1496 – ssh fails with xmalloc: zero size

Bug 1496 - ssh fails with xmalloc: zero size

Summary: ssh fails with xmalloc: zero size

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	5.1p1
Hardware:	Other Linux

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:	patch

Depends on:
Blocks:	V_5_2
	Show dependency tree / graph

Reported:	2008-07-31 19:08 AEST by Tomas Mraz
Modified:	2009-02-23 13:35 AEDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch which fixes the zero length banner problem. (592 bytes, patch) 2008-07-31 19:08 AEST, Tomas Mraz	no flags	Details \| Diff
Correct patch (618 bytes, patch) 2008-07-31 19:21 AEST, Tomas Mraz	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomas Mraz 2008-07-31 19:08:50 AEST

Created attachment 1553 [details]
Patch which fixes the zero length banner problem.

ssh fails with xmalloc: zero size when connecting to a server with present but empty banner.

Also the processing of the received banner through strnvis() is unfortunate in the regard that it mangles banners with international characters. The processing should be done according to the current locale and allow the international characters to be printed unmangled.

Comment 1 Tomas Mraz 2008-07-31 19:21:05 AEST

Created attachment 1554 [details]
Correct patch

Actually according to the strnvis man page the dest must be null terminated in case the len is 0 or all the characters are expanded to 4 times length.

Comment 2 Josh Triplett 2008-08-07 05:56:25 AEST

I can confirm this problem.  I observed it when attempting to connect to the management module of an IBM BladeCenter via SSH.  It did not occur with previous versions of SSH.

Comment 3 Colin Watson 2008-08-29 23:50:26 AEST

Shouldn't you pass len * 4 + 1 as the third argument to strnvis too? openbsd-compat/vis.c says:

 *      Strnvis will write no more than siz-1 bytes (and will NULL terminate).

Comment 4 Tomas Mraz 2008-08-30 20:25:31 AEST

Hmm, yes. The current patch means that in case that all characters are expanded, the last character of the expanded string will be truncated.

Comment 5 Mike Frysinger 2008-11-03 19:41:10 AEDT

this has been fixed in openbsd now:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshconnect2.c.diff?r1=1.166;r2=1.168

Comment 6 Damien Miller 2009-01-21 20:12:50 AEDT

Yes, this will be in openssh-5.2

Comment 7 Damien Miller 2009-02-23 13:35:57 AEDT

Close bugs fixed/reviewed for openssh-5.2 release