If sftp is built without libedit support, a segfault can occur in parse_args() when argv[0] equals NULL. This can be triggered by entering ^L (followed by <enter>) on a blank line. Connected to alex. sftp> ^L Segmentation fault (core dumped) The backtrace from gdb shows: #0 0x0000003af267c100 in strcasecmp () from /lib64/libc.so.6 #1 0x0000000000404dd2 in parse_args (conn=0x13fbc0c0, cmd=<value optimized out>, pwd=0x7fff330ac518, err_abort=0) at sftp.c:1145 #2 parse_dispatch_command (conn=0x13fbc0c0, cmd=<value optimized out>, pwd=0x7fff330ac518, err_abort=0) at sftp.c:1300 #3 0x0000000000406327 in interactive_loop (conn=0x13fbc0c0, file1=<value optimized out>, file2=<value optimized out>) at sftp.c:1990 #4 0x0000000000406913 in main (argc=<value optimized out>, argv=0x13fbc030) at sftp.c:2273 (gdb) The problem appears to be that argv[0] is NULL, and there is no check for this prior to the strcasecmp() call.
Created attachment 2117 [details] return -1 when argv[0] is NULL instead of continuing further when argv[0] is set to NULL, return -1. This fixes the segfault. I'm still looking into what causes its value to be set to NULL. Thanks to Eldergod Selven who allowed me to play with his iMac ;-)
I can reproduce it with a small number of control character. e.g ^L, ^K, ^P. If I mix them with alphabetic characters, it also segfaults. e.g A^L, B^K. In all the cases, argv[0] is NULL.
Retarget uncompleted bugs from 6.1 => 6.2
Retarget bugs from 6.1 => 6.2
Created attachment 2209 [details] Check for argv[0] == NULL before strcasecmp() I finally got some time to look at this in more detail. :-) Checking whether argv[0] == NULL just before the strcasecmp() statement has the advantage that the user will receive an "Invalid command" response. That would seem to be more consistent.
Patch applied. This will be in openssh-6.2, thanks!
mark bugs closed by openssh-6.2 release as CLOSED