[Bug 3949] New: authfd.c: unchecked calloc() in ssh_agent_query_extensions() can return success with *exts == NULL

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 14 12:05:46 AEST 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3949

            Bug ID: 3949
           Summary: authfd.c: unchecked calloc() in
                    ssh_agent_query_extensions() can return success with
                    *exts == NULL
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ruihe at magnum-opus.llc

In ssh_agent_query_extensions(), ret = calloc(1, sizeof(*ret)) is not
checked before later logic may return success. If that allocation fails
and the agent response contains zero extension names, the function can
return r = 0 while also returning *exts == NULL. That creates a
false-success / silent-failure condition where the caller cannot
distinguish successful empty results from allocation failure.

I am filing this as a non-security correctness/API-contract bug.
----------

Location:

authfd.c:806
----------

Observed behavior:

Under deterministic NULL injection at the calloc() site, the test
harness confirms the function can return success while propagating a
NULL output pointer, summarized as “silent failure” in the report
artifact. The summary records query_test exiting with a dedicated
success-but-invalid-output indicator.
----------

Expected behavior:

If the initial calloc() fails, the function should return an error and
should not report success with an invalid output state.
----------

Mechanism:

ret = calloc(1, sizeof(*ret)) returns NULL
agent response contains zero extension strings
the while loop is skipped
function reaches success path
*exts = ret propagates NULL
function returns r = 0 even though allocation failed
----------

Why this matters:

This is not a crash surface in the main reported case. It is a semantic
bug: the function reports success while returning an output state that
is indistinguishable from a valid empty result.
----------

Reproduction notes:

The reproduction package includes deterministic NULL injection and a
clean-room harness, with source provenance recorded from an exact
commit export.
----------

Additional notes:

I am not claiming security impact here. This report is about unchecked
allocation and misleading success semantics in the API contract.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list