segfault in openssh-1.2pre13

Damien Miller djm at mindrot.org
Sat Nov 20 16:49:32 EST 1999


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 19 Nov 1999, Berend De Schouwer wrote:

> RH6.0, Intel, openssh-1.2pre13
> 
> If I generate /etc/ssh_host_key, it works, if I generate
> /root/.ssh/identity it segfaults.  Every time.

Fixed. There was a buffer overrun in the filename handling.
Please try the attached patch.

Regards,
Damien Miller

> # ssh-keygen 
> Generating RSA keys:  Key generation complete.
> Enter file in which to save the key (/root/.ssh/identity): 
> Enter passphrase (empty for no passphrase): 
> Enter same passphrase again: 
> Your identification has been saved in /root/.ssh/identity.
> Your public key is:
> 1024 35 120157590 ......  3660088497 root at bongw3.bonus.co.za
> Segmentation fault (core dumped)
> 
> # ssh-keygen 
> Generating RSA keys:  Key generation complete.
> Enter file in which to save the key (/root/.ssh/identity): /etc/ssh_host_key
> Enter passphrase (empty for no passphrase): 
> Enter same passphrase again: 
> Your identification has been saved in /etc/ssh_host_key.
> Your public key is:
> 1024 35 167064111 ......  49601307 root at bongw3.bonus.co.za
> Your public key has been saved in /etc/ssh_host_key.pub
> 
> (keys shortened for mail)
> 
> Following is from a backtrace:
> # gdb ssh-keygen /root/core 
> GNU gdb 4.17.0.11 with Linux support
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux"...
> Core was generated by `ssh-keygen'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/libpam.so.0...done.
> Reading symbols from /lib/libdl.so.2...done.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /usr/lib/libz.so.1...done.
> Reading symbols from /lib/libutil.so.1...done.
> Reading symbols from /lib/libc.so.6...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> #0  chunk_alloc (ar_ptr=0x40132580, nb=184) at malloc.c:2723
> malloc.c:2723: No such file or directory.
> (gdb) bt
> #0  chunk_alloc (ar_ptr=0x40132580, nb=184) at malloc.c:2723
> #1  0x400a1b8a in __libc_malloc (bytes=176) at malloc.c:2616
> #2  0x4009ae5b in _IO_new_fopen (filename=0x8068e80 "/root/.ssh/identity.¹", 
>     mode=0x805f6e3 "w") at iofopen.c:42
> #3  0x804a14f in main (ac=1, av=0xbffffd64) at ssh-keygen.c:574
> #4  0x40061cb3 in __libc_start_main (main=0x8049b44 <main>, argc=1, 
>     argv=0xbffffd64, init=0x8048e10 <_init>, fini=0x805f43c <_fini>, 
>     rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffd5c)
>     at ../sysdeps/generic/libc-start.c:78
> (gdb) 
> 
> 
> Funny filename "/root/.ssh/identity.¹"
> 
> -- 
> Kind regards,				  
> Berend                                  
>                                         
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Berend De Schouwer, +27-11-712-1435, UCS
> 
> 

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4NjZvormJ9RG1dI8RAqweAKCIdcMsIn9Vvuv7XOC+c4q6VwSpJACfRCo6
OOgqwWcT9PLydyNVNNDFONo=
=XjB/
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: ssh-keygen.c
===================================================================
RCS file: /var/cvs/openssh/ssh-keygen.c,v
retrieving revision 1.5
diff -u -r1.5 ssh-keygen.c
--- ssh-keygen.c	1999/11/17 06:29:08	1.5
+++ ssh-keygen.c	1999/11/20 05:45:49
@@ -570,6 +570,7 @@
 
   /* Save the public key in text format in a file with the same name but
      .pub appended. */
+  file = xrealloc(file, strlen(file) + 5);
   strcat(file, ".pub");
   f = fopen(file, "w");
   if (!f)


More information about the openssh-unix-dev mailing list