Core dump in sftp from CVS

[Darren Tucker]

Hi All.
	As I mentioned earlier, I've been having weird failures with both sshd
and sftp.  The sshd one turned out the be my fault (misplaced "}", grr)
but the sftp one doesn't appear to be.

	The sftp regression tests fail on the current portable tree on Solaris
and AIX (with my own mods to auth.c and regress/, but I don't think
that's related).  The test that fails is:

$ ./sftp -P sftp-server -B 5 -R 1 -b ./batch
Attaching to sftp-server...
sftp> version
SFTP protocol version 3
sftp> get /bin/ls ./copy.1
sftp> put /bin/ls ./copy.2
Segmentation Fault (core dumped)

	The cause appears to be sftp-int.c line 508:

506	/* Only one match, dst may be file, directory or unspecified */
507	if (g.gl_pathv[0] && g.gl_matchc == 1) {
508		if (!is_reg(g.gl_pathv[i])) {
				      ^^^
	The variable "i" is uninitialized at this point.  The code is the same
in OpenBSD and portable.

	Attached patch passes regression on Solaris 8.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: sftp-int.c
===================================================================
RCS file: /cvs/openssh/sftp-int.c,v
retrieving revision 1.44
diff -u -r1.44 sftp-int.c
--- sftp-int.c	14 Jan 2003 11:24:47 -0000	1.44
+++ sftp-int.c	16 Jan 2003 01:22:21 -0000
@@ -505,7 +505,7 @@
 
 	/* Only one match, dst may be file, directory or unspecified */
 	if (g.gl_pathv[0] && g.gl_matchc == 1) {
-		if (!is_reg(g.gl_pathv[i])) {
+		if (!is_reg(g.gl_pathv[0])) {
 			error("Can't upload %s: not a regular file",
 			    g.gl_pathv[0]);
 			err = 1;