[Bug 2207] Potential NULL deference, found using coverity

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Mar 5 02:40:54 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2207

--- Comment #2 from Arthur Mesh <arthurmesh at gmail.com> ---
Not sure why e-mail correspondence didn't make it here -- hence
reposting:
On Mon, Mar 03, 2014 at 09:27:38PM +0000, bugzilla-daemon at mindrot.org
wrote:
> We don't normally mark crashers as security bugs unless they take down
> the master sshd process.

Noted.

> That being said, there is no NULL dereference here anyway. See the
> "kdfname == NULL"

Disagree. Let me try to be more specific:

Let's for the sake of argument assume:
kdfname = "bcrypt"
passphrase = NULL
ciphername = "none"

Please ignore this bug if such assumptions are invalid.

 277         if ((passphrase == NULL || !strlen(passphrase)) &&
 278             strcmp(ciphername, "none") != 0) {
 279                 /* passphrase required */
 280                 goto out;
 281         }

Given the assumption, condition in line 277 is false.

 283         if (kdfname == NULL ||
 284             (!strcmp(kdfname, "none") && !strcmp(kdfname,
"bcrypt"))) {
 285                 error("%s: unknown kdf name", __func__);
 286                 goto out;
 287         }

Given the assumption, condition in line 283 is false.

 288         if (!strcmp(kdfname, "none") && strcmp(ciphername, "none")
!= 0) {
 289                 error("%s: cipher %s requires kdf", __func__,
ciphername);
 290                 goto out;
 291         }

Furthermore, condition in 288 is false as well.

 338         if (!strcmp(kdfname, "bcrypt")) {
 339                 if ((salt = buffer_get_string_ret(&kdf, &slen)) ==
NULL) {
 340                         error("%s: salt not set", __func__);
 341                         goto out;
 342                 }
 343                 if (buffer_get_int_ret(&rounds, &kdf) < 0) {
 344                         error("%s: rounds not set", __func__);
 345                         goto out;
 346                 }
 347                 if (bcrypt_pbkdf(passphrase, strlen(passphrase),
salt, slen,
 348                     key, keylen + ivlen, rounds) < 0) {
 349                         error("%s: bcrypt_pbkdf failed",
__func__);
 350                         goto out;
 351                 }

Condition in 338 is true, and line 347 could produce a NULL dereference
(strlen(NULL)).

Condition in 338 is true, and line 347 could produce a NULL dereference
(strlen(NULL)).

(Again, assuming that lines 339 and 343 do not fail).

Perhaps I am missing something obvious here..

Thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list