Date: Thu, 26 Oct 2000 11:59:21 +0200 (CEST) From: brandt@fokus.gmd.de To: FreeBSD-gnats-submit@freebsd.org Subject: bin/22307: ssh dumps core if fields in password entry are empty Message-ID: <200010260959.e9Q9xLG01314@fokus.gmd.de>
next in thread | raw e-mail | index | archive | help
>Number: 22307 >Category: bin >Synopsis: ssh dumps core if fields in password entry are empty >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 26 03:00:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Hartmut Brandt >Release: FreeBSD 5.0-CURRENT i386 >Organization: GMD Fokus >Environment: Passwords over NIS from a Solaris NIS server. >Description: If one gets the passwords over NIS the pw_class in struct passwd may be empty (contain a NULL). Openssh calls xstrdup on pw_class. xstrdup doesn't check for NULL pointers beeing passed and ssh/sshd dumps core. Calling ssh for local accounts (like root) works ok. This fix seems (probably) to be introduced with the nsswitch import. While I'm in ssh.c: the strcpy on pw_class is called twice. This is obviously a memory leak. >How-To-Repeat: Configure your nsswitch.conf to get the passwords from a Solaris NIS server. Call ssh <host> from one of the NIS accounts. >Fix: Don't call xstrcpy in ssh.c:516 if pw_class is NULL. Remove ssh.c:519. Alternatively fix getpwent to always set pw_class. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010260959.e9Q9xLG01314>