[Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=526

           Summary: potential ssh-keysign segfault if pktype == KEY_UNSPEC
           Product: Portable OpenSSH
           Version: 3.6p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: cjwatson at debian.org


gcc warns:

gcc -O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
-DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED -I.
-I.  -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\"
-DSSH_RAND_HELPER=\"/usr/lib/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-keysign.c
ssh-keysign.c: In function `valid_request':
ssh-keysign.c:58: warning: `key' might be used uninitialized in this function

Looking at the code, indeed, key is only initialized if pktype != KEY_UNSPEC,
but if pktype == KEY_UNSPEC then fail will be non-zero and key_free() in the
following code may fire depending on what happens to be on the stack, possibly
causing a segfault:

        if (fail && key != NULL)
                key_free(key);
        else
                *ret = key;

I suggest explicitly initializing key to NULL.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.