[Bug 1795] New: An integer variable "num" in mm_answer_pam_query() is not initialized before used
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jul 13 19:11:19 EST 2010
https://bugzilla.mindrot.org/show_bug.cgi?id=1795
Summary: An integer variable "num" in mm_answer_pam_query() is
not initialized before used
Product: Portable OpenSSH
Version: 5.5p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: bitman.zhou at centrify.com
An integer variable "num" in mm_answer_pam_query() is not
initialized before used if pam module has errors. This happens on HP-UX
where the gcc compiler doesn't do default initialization.
------ code ------
int
mm_answer_pam_query(int sock, Buffer *m)
{
char *name, *info, **prompts;
u_int i, num, *echo_on; <== num is not initialized and could
be a random large number
int ret;
debug3("%s", __func__);
sshpam_authok = NULL;
ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num,
&prompts, &echo_on); <== num may not be altered in this call
if (ret == 0 && num == 0)
sshpam_authok = sshpam_ctxt;
if (num > 1 || name == NULL || info == NULL)
ret = -1;
buffer_clear(m);
buffer_put_int(m, ret);
buffer_put_cstring(m, name);
xfree(name);
buffer_put_cstring(m, info);
xfree(info);
buffer_put_int(m, num);
for (i = 0; i < num; ++i) {
buffer_put_cstring(m, prompts[i]); <== fail here!
xfree(prompts[i]);
buffer_put_int(m, echo_on[i]);
}
------- sshd debug log -----------
debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
buffer_put_cstring: s == NULL
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list