Bug 1748 - getcwd being called with invalid argument in servconf.c
Summary: getcwd being called with invalid argument in servconf.c
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.4p1
Hardware: SPARC Solaris
: P2 critical
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_5_5
  Show dependency treegraph
 
Reported: 2010-04-01 04:44 AEDT by Dan Mitton
Modified: 2010-04-16 15:50 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Mitton 2010-04-01 04:44:19 AEDT 
In servconf.c, the code segment...

char *
derelativise_path(const char *path)
{
        char *expanded, *ret, *cwd;

        expanded = tilde_expand_filename(path, getuid());
        if (*expanded == '/')
                return expanded;
        if ((cwd = getcwd(NULL, 0)) == NULL)
                fatal("%s: getcwd: %s", __func__, strerror(errno));
        xasprintf(&ret, "%s/%s", cwd, expanded);
        xfree(cwd);
        xfree(expanded);
        return ret;
}

is calling getcwd(NULL, 0).  In the man pages from Solaris, is says...

ERRORS
     The getcwd() function will fail if:

     EINVAL          The size argument is equal to 0.

I suspect that this should be PATH_MAX, rather then 0.  This routine, and hence the error, does not exist in 5.3p1.
Comment 1 Darren Tucker 2010-04-09 10:30:27 AEST 
Thanks for the report.  This has been fixed and will be in the 5.5p1 release.  You can confirm by testing a recent snapshot (http://www.mindrot.org/openssh_snap/).
Comment 2 Damien Miller 2010-04-16 15:50:23 AEST 
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1