From owner-freebsd-bugs Wed Dec 19 18:10: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 209A637B416 for ; Wed, 19 Dec 2001 18:10:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBK2A2633931; Wed, 19 Dec 2001 18:10:02 -0800 (PST) (envelope-from gnats) Date: Wed, 19 Dec 2001 18:10:02 -0800 (PST) Message-Id: <200112200210.fBK2A2633931@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: ian j hart Subject: Re: bin/32175: ssh-keygen -p core dumps Reply-To: ian j hart Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR bin/32175; it has been noted by GNATS. From: ian j hart To: freebsd-gnats-submit@freebsd.org, anarcat@anarcat.dyndns.org Cc: Subject: Re: bin/32175: ssh-keygen -p core dumps Date: Thu, 20 Dec 2001 02:08:29 +0000 Printing the comment is the source of the crash. The error appears to be in /usr/src/crypto/openssh/authfile.c *** authfile.c.orig Thu Dec 20 01:17:00 2001 --- authfile.c Thu Dec 20 01:21:33 2001 *************** *** 556,562 **** lseek(fd, (off_t) 0, SEEK_SET); /* rewind */ if (pub == NULL) { /* closes fd */ ! return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); } else { /* it's a SSH v1 key if the public key part is readable */ key_free(pub); --- 556,562 ---- lseek(fd, (off_t) 0, SEEK_SET); /* rewind */ if (pub == NULL) { /* closes fd */ ! return key_load_private_pem(fd, KEY_UNSPEC, passphrase, commentp); } else { /* it's a SSH v1 key if the public key part is readable */ key_free(pub); commentp is the address of a pointer to a heap? allocated string (for the comment). key_load_private_pem will allocate memory and intialise commentp, if it gets a non-null value. As authfile.c is part of libssl someone who knows about this stuff should verify this fix. Because of this I present an alternative workaround. *** ssh-keygen.c.orig Thu Dec 20 01:16:52 2001 --- ssh-keygen.c Thu Dec 20 01:20:49 2001 *************** *** 456,462 **** void do_change_passphrase(struct passwd *pw) { ! char *comment; char *old_passphrase, *passphrase1, *passphrase2; struct stat st; Key *private; --- 456,462 ---- void do_change_passphrase(struct passwd *pw) { ! char *comment = NULL; char *old_passphrase, *passphrase1, *passphrase2; struct stat st; Key *private; This only affects ssh-keygen. The offending printf survives the null pointer, as does the xfree() later in the function. Call tree: ssh-keygen.c: 457:void do_change_passphrase(struct passwd *pw) 477:private = key_load_private(identity_file, old_passphrase , &comment); authfile.c: 541:Key *key_load_private(const char *filename, const char *passphrase, char **commentp) 559:return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); <--- error 435:Key *key_load_private_pem(int fd, int type, const char *passphrase, char **commentp) 478: if (prv != NULL && commentp) *commentp = xstrdup(name); I wasn't sure whether to quote the whole thing here. Perhaps someone could advise me on "style". -- ian j hart To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message