[PATCH 11/12] bugfix: openssh-4.3p2 variable reuse bug
Kylene Jo Hall
kjhall at us.ibm.com
Tue May 16 06:19:26 EST 2006
Since the comment variable is used later in the function for other
purposes. It is necessary to NULL the variable so it can be
differentiated as a new allocation from the previous use remenants
(which have already been freed) to avoid using an already freed pointer
in the assignment comment = cp ? *cp : comment. When the code path is
such that comment has not been reset. This entire set of patches passed
the regression tests on my system. Bug found by Coverity.
Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
---
ssh-keygen.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff -uprN openssh-4.3p2/ssh-keygen.c openssh-4.3p2-kylie/ssh-keygen.c
--- openssh-4.3p2/ssh-keygen.c 2005-11-28 20:10:25.000000000 -0600
+++ openssh-4.3p2-kylie/ssh-keygen.c 2006-05-03 16:23:38.000000000 -0500
@@ -485,8 +485,10 @@ do_fingerprint(struct passwd *pw)
xfree(fp);
exit(0);
}
- if (comment)
+ if (comment) {
xfree(comment);
+ comment = NULL;
+ }
f = fopen(identity_file, "r");
if (f != NULL) {
More information about the openssh-unix-dev
mailing list