[PATCH 5/12] bug fix: openssh-4.3p2 scp bugs

Kylene Jo Hall kjhall at us.ibm.com
Tue May 16 06:19:07 EST 2006

There are 2 bugs here.  The first is pipe's return code is not checked
in this instance and it can return a negative value.  The purpose of the
call is to make sure 0 and 1 are not assigned to the pin and pout
descriptors because those values won't work for later calls.  If the
pipe call fails the correct behavior cannot be ensured.  This patch adds
an error case consistent with the rest of the function.  

The second bug is a memory leak.  arg is allocated with xstrdup.  It is
the assigned in some paths to another local variable but neither are
ever freed.  This patch adds the xfree.

This entire set of patches passed the regression tests on my system.
Bugs found by Coverity.

Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
scp.c |    4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)

diff -uprN openssh-4.3p2/scp.c openssh-4.3p2-kylie/scp.c
--- openssh-4.3p2/scp.c	2006-01-31 05:11:38.000000000 -0600
+++ openssh-4.3p2-kylie/scp.c	2006-05-08 15:15:04.016516104 -0500
@@ -181,7 +181,8 @@ do_cmd(char *host, char *remuser, char *
 	 * Reserve two descriptors so that the real pipes won't get
 	 * descriptors 0 and 1 because that will screw up dup2 below.
-	pipe(reserved);
+	if (pipe(reserved) < 0)
+		fatal("pipe: %s", strerror(errno));
 	/* Create a socket pair for communicating with ssh. */
 	if (pipe(pin) < 0)
@@ -490,6 +491,7 @@ toremote(char *targ, int argc, char **ar
 			source(1, argv + i);
+	xfree(arg);

More information about the openssh-unix-dev mailing list