bug in sshd.d (destroy_sensitive_data core dumps)

Sat Dec 23 02:01:33 EST 2000

Hi,

experimenting with openssh_cvs on my SCO Unix 3.2v4.2 machine, I had
sshd core dumping on me.

Tracking this, I found that if a host key is specified in the sshd_config
that does not exist (I used "./sshd -d -d -d -f sshd_config" with the 
shipped sshd_config file, to work around incompatibilities with the 
installed sshd.com's sshd_config, and I do not have ssh2 host keys on
this machine), sshd will leave 

   sensitive_data.host_keys[<i>]

uninitialized - the memory area is malloc()ed, so never initialized, and
later on destroy_sensitive_data reads a pointer from it and tries to
overwrite *that* memory location.

A quick fix is appended below: if a host key file can't be read, 
host_keys[i] is set to NULL.  This does not seem to have adverse
effects, and the core dumps go away.

The patch is off by a few lines due to other changes (debugging added
to track this).

gert

  
Index: sshd.c
===================================================================
RCS file: /cvs/openssh_cvs/sshd.c,v
retrieving revision 1.101
diff -u -r1.101 sshd.c

--- sshd.c	2000/12/15 23:31:01	1.101
+++ sshd.c	2000/12/22 14:56:29
@@ -702,6 +706,7 @@
 		if (key == NULL) {
 			error("Could not load host key: %.200s: %.100s",
 			    options.host_key_files[i], strerror(errno));
+			sensitive_data.host_keys[i] = NULL;
 			continue;
 		}
 		switch(key->type){
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de



