Probable bug in Chroot patch (v3.4p1)
Wick, Kent
kent.wick at mhmr.state.tx.us
Fri Aug 9 01:47:43 EST 2002
While I was trying to get the patch to work on one of my AIX hosts (4.3.3),
I discovered what is probably a bug in the section of code in session.c.
for (i = 0; i < options.num_chroot_users; i++) {
if (match_user(pw->pw_name, hostname, ipaddr,
options.chroot_users[i])) {
dir = chroot_dir(pw);
/* 'dir' now points to memory block holding pathname */
new_home = dir;
/* contents of 'dir' pointer copied to 'new_home' pointer */
xfree(dir);
/* memory block with pathname freed */
if(chdir(new_home) == -1)
/* now trying to reference said freed memory block */
/* this blows up big time on AIX */
/* I can get it to go further if I comment out the xfree
statement BUT that leaves a memory leak.
Since I don't know openssh code well enough, I
figured I would toss this back to the list and see
if somebody had a suggestion */
fatal("chdir to %s failed: %s",
new_home, strerror(errno));
/* continue to try to use freed memory block pointed to by 'new_home' */
if(chroot(new_home) == -1) {
/* continue to try to use freed memory block pointed to by 'new_home' */
fatal("chroot to %s failed: %s",
new_home, strerror(errno));
/* continue to try to use freed memory block pointed to by 'new_home' */
}
else
pw->pw_dir = new_root;
}
}
====================================================
Kent Wick, TxMHMR, Unix/Network Systems Programmer
Email: kent.wick at mhmr.state.tx.us
Phone: (512) 206-5931 Fax: (512) 206-4838
Snail mail: PO Box 12668, Austin, Tx 78711-2668
More information about the openssh-unix-dev
mailing list