Date: Wed, 19 Dec 2001 18:10:02 -0800 (PST) From: ian j hart <ianjhart@ntlworld.com> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/32175: ssh-keygen -p core dumps Message-ID: <200112200210.fBK2A2633931@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/32175; it has been noted by GNATS.
From: ian j hart <ianjhart@ntlworld.com>
To: freebsd-gnats-submit@freebsd.org, anarcat@anarcat.dyndns.org
Cc:
Subject: Re: bin/32175: ssh-keygen -p core dumps
Date: Thu, 20 Dec 2001 02:08:29 +0000
Printing the comment is the source of the crash.
The error appears to be in /usr/src/crypto/openssh/authfile.c
*** authfile.c.orig Thu Dec 20 01:17:00 2001
--- authfile.c Thu Dec 20 01:21:33 2001
***************
*** 556,562 ****
lseek(fd, (off_t) 0, SEEK_SET); /* rewind */
if (pub == NULL) {
/* closes fd */
! return key_load_private_pem(fd, KEY_UNSPEC, passphrase,
NULL);
} else {
/* it's a SSH v1 key if the public key part is readable
*/
key_free(pub);
--- 556,562 ----
lseek(fd, (off_t) 0, SEEK_SET); /* rewind */
if (pub == NULL) {
/* closes fd */
! return key_load_private_pem(fd, KEY_UNSPEC, passphrase,
commentp);
} else {
/* it's a SSH v1 key if the public key part is readable
*/
key_free(pub);
commentp is the address of a pointer to a heap? allocated
string (for the comment). key_load_private_pem will
allocate memory and intialise commentp, if it gets
a non-null value.
As authfile.c is part of libssl someone who knows about
this stuff should verify this fix. Because of this I
present an alternative workaround.
*** ssh-keygen.c.orig Thu Dec 20 01:16:52 2001
--- ssh-keygen.c Thu Dec 20 01:20:49 2001
***************
*** 456,462 ****
void
do_change_passphrase(struct passwd *pw)
{
! char *comment;
char *old_passphrase, *passphrase1, *passphrase2;
struct stat st;
Key *private;
--- 456,462 ----
void
do_change_passphrase(struct passwd *pw)
{
! char *comment = NULL;
char *old_passphrase, *passphrase1, *passphrase2;
struct stat st;
Key *private;
This only affects ssh-keygen. The offending printf survives
the null pointer, as does the xfree() later in the function.
Call tree:
ssh-keygen.c: 457:void do_change_passphrase(struct passwd *pw)
477:private = key_load_private(identity_file, old_passphrase ,
&comment);
authfile.c: 541:Key *key_load_private(const char *filename, const char
*passphrase, char **commentp)
559:return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL);
<--- error
435:Key *key_load_private_pem(int fd, int type, const char
*passphrase, char **commentp)
478: if (prv != NULL && commentp)
*commentp = xstrdup(name);
I wasn't sure whether to quote the whole thing here. Perhaps
someone could advise me on "style".
--
ian j hart
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112200210.fBK2A2633931>