From brandt@fokus.gmd.de  Thu Oct 26 02:59:23 2000
Return-Path: <brandt@fokus.gmd.de>
Received: from mailhub.fokus.gmd.de (mailhub.fokus.gmd.de [193.174.154.14])
	by hub.freebsd.org (Postfix) with ESMTP id CBEF737B479
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Oct 2000 02:59:22 -0700 (PDT)
Received: from fokus.gmd.de (beagle [193.175.132.100])
	by mailhub.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id LAA13728
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Oct 2000 11:59:21 +0200 (MET DST)
Received: (from root@localhost)
	by fokus.gmd.de (8.11.1/8.11.0) id e9Q9xLG01314;
	Thu, 26 Oct 2000 11:59:21 +0200 (CEST)
	(envelope-from hbb)
Message-Id: <200010260959.e9Q9xLG01314@fokus.gmd.de>
Date: Thu, 26 Oct 2000 11:59:21 +0200 (CEST)
From: brandt@fokus.gmd.de
Reply-To: brandt@fokus.gmd.de
To: FreeBSD-gnats-submit@freebsd.org
Subject: ssh dumps core if fields in password entry are empty
X-Send-Pr-Version: 3.2

>Number:         22307
>Category:       bin
>Synopsis:       ssh dumps core if fields in password entry are empty
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 26 03:00:01 PDT 2000
>Closed-Date:    Mon Feb 19 13:48:39 PST 2001
>Last-Modified:  Mon Feb 19 13:50:38 PST 2001
>Originator:     Hartmut Brandt
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
GMD Fokus
>Environment:

	Passwords over NIS from a Solaris NIS server.

>Description:

	If one gets the passwords over NIS the pw_class in
	struct passwd may be empty (contain a NULL).
	Openssh calls xstrdup on pw_class. xstrdup doesn't check
	for NULL pointers beeing passed and ssh/sshd dumps core.
	Calling ssh for local accounts (like root) works ok.
	This fix seems (probably) to be introduced with the nsswitch import.

	While I'm in ssh.c: the strcpy on pw_class is called twice. This
	is obviously a memory leak.

>How-To-Repeat:

	Configure your nsswitch.conf to get the passwords from a Solaris
	NIS server. Call ssh <host> from one of the NIS accounts.

>Fix:

	Don't call xstrcpy in ssh.c:516 if pw_class is NULL. Remove
	ssh.c:519. Alternatively fix getpwent to always set pw_class.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kris 
Responsible-Changed-By: brian 
Responsible-Changed-When: Tue Oct 31 16:08:25 PST 2000 
Responsible-Changed-Why:  
I submitted a patch to kris a while ago for this.... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22307 
Responsible-Changed-From-To: kris->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Nov 12 18:28:12 PST 2000 
Responsible-Changed-Why:  
Green is taking over OpenSSH 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22307 
State-Changed-From-To: open->closed 
State-Changed-By: green 
State-Changed-When: Mon Feb 19 13:48:39 PST 2001 
State-Changed-Why:  
The problem was actually that pw_class should never be NULL in any 
case, so working around it in ssh is a bad idea.  Thanks for the 
report. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=22307 
>Unformatted:

The following patch corrects the problem:


Index: ssh.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/ssh.c,v
retrieving revision 1.10
diff -u -r1.10 ssh.c
--- ssh.c	2000/09/10 09:35:38	1.10
+++ ssh.c	2000/09/20 20:43:53
@@ -513,10 +513,9 @@
 	pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
 	pwcopy.pw_uid = pw->pw_uid;
 	pwcopy.pw_gid = pw->pw_gid;
-	pwcopy.pw_class = xstrdup(pw->pw_class);
 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
-	pwcopy.pw_class = xstrdup(pw->pw_class);
+	pwcopy.pw_class = xstrdup(pw->pw_class ? pw->pw_class : "");
 	pwcopy.pw_expire = pw->pw_expire;
 	pwcopy.pw_change = pw->pw_change;
 	pw = &pwcopy;
