[Bug 1956] New: sftp segfaults in parse_args() when argv[0] is NULL

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Dec 8 06:03:28 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1956

             Bug #: 1956
           Summary: sftp segfaults in parse_args() when argv[0] is NULL
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sftp
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: imorgan at nas.nasa.gov


If sftp is built without libedit support, a segfault can occur in
parse_args() when argv[0] equals NULL. This can be triggered by
entering
^L (followed by <enter>) on a blank line.

Connected to alex.
sftp> ^L
Segmentation fault (core dumped)

The backtrace from gdb shows:

#0  0x0000003af267c100 in strcasecmp () from /lib64/libc.so.6
#1  0x0000000000404dd2 in parse_args (conn=0x13fbc0c0, cmd=<value
optimized out>, pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1145
#2  parse_dispatch_command (conn=0x13fbc0c0, cmd=<value optimized out>,
pwd=0x7fff330ac518, err_abort=0)
    at sftp.c:1300
#3  0x0000000000406327 in interactive_loop (conn=0x13fbc0c0,
file1=<value optimized out>, 
    file2=<value optimized out>) at sftp.c:1990
#4  0x0000000000406913 in main (argc=<value optimized out>,
argv=0x13fbc030) at sftp.c:2273
(gdb) 

The problem appears to be that argv[0] is NULL, and there is no check
for this prior to the strcasecmp() call.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list