Bug 1956 - sftp segfaults in parse_args() when argv[0] is NULL
Summary: sftp segfaults in parse_args() when argv[0] is NULL
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sftp (show other bugs)
Version: -current
Hardware: All All
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_2
  Show dependency treegraph
 
Reported: 2011-12-08 06:03 AEDT by Iain Morgan
Modified: 2013-03-22 12:02 AEDT (History)
2 users (show)

See Also:

Attachments
return -1 when argv[0] is NULL instead of continuing further (550 bytes, patch)
2011-12-11 07:46 AEDT, Loganaden Velvindron 		no flags Details | Diff
Check for argv[0] == NULL before strcasecmp() (494 bytes, patch)
2013-01-17 07:29 AEDT, Iain Morgan 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Iain Morgan 2011-12-08 06:03:28 AEDT 
If sftp is built without libedit support, a segfault can occur in
parse_args() when argv[0] equals NULL. This can be triggered by entering
^L (followed by <enter>) on a blank line.

Connected to alex.
sftp> ^L
Segmentation fault (core dumped)

The backtrace from gdb shows:

#0  0x0000003af267c100 in strcasecmp () from /lib64/libc.so.6
#1  0x0000000000404dd2 in parse_args (conn=0x13fbc0c0, cmd=<value
optimized out>, pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1145
#2  parse_dispatch_command (conn=0x13fbc0c0, cmd=<value optimized out>,
pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1300
#3  0x0000000000406327 in interactive_loop (conn=0x13fbc0c0,
file1=<value optimized out>, 
    file2=<value optimized out>) at sftp.c:1990
#4  0x0000000000406913 in main (argc=<value optimized out>,
argv=0x13fbc030) at sftp.c:2273
(gdb) 

The problem appears to be that argv[0] is NULL, and there is no check
for this prior to the strcasecmp() call.
Comment 1 Loganaden Velvindron 2011-12-11 07:46:51 AEDT 
Created attachment 2117 [details]
return -1 when argv[0] is NULL instead of continuing further

when argv[0] is set to NULL, return -1.

This fixes the segfault. I'm still looking
into what causes its value to be set to NULL.

Thanks to Eldergod Selven who allowed me to play
with his iMac ;-)
Comment 2 Loganaden Velvindron 2011-12-15 20:07:30 AEDT 
I can reproduce it with a small number of control character.
e.g
^L, ^K, ^P.

If I mix them with alphabetic characters, it
also segfaults.

e.g A^L, B^K.

In all the cases, argv[0] is NULL.
Comment 3 Damien Miller 2012-09-07 11:37:49 AEST 
Retarget uncompleted bugs from 6.1 => 6.2
Comment 4 Damien Miller 2012-09-07 11:40:17 AEST 
Retarget bugs from 6.1 => 6.2
Comment 5 Iain Morgan 2013-01-17 07:29:32 AEDT 
Created attachment 2209 [details]
Check for argv[0] == NULL before strcasecmp()

I finally got some time to look at this in more detail. :-)

Checking whether argv[0] == NULL just before the strcasecmp() statement has the advantage that the user will receive an "Invalid command" response. That would seem to be more consistent.
Comment 6 Damien Miller 2013-02-08 11:41:30 AEDT 
Patch applied. This will be in openssh-6.2, thanks!
Comment 7 Damien Miller 2013-03-22 12:02:00 AEDT 
mark bugs closed by openssh-6.2 release as CLOSED