Calysto v1.5 reports on ssh v4.6p1

Darren Tucker dtucker at zip.com.au
Sun Aug 12 11:19:56 EST 2007


Domagoj Babic wrote:
> New version of Calysto reports a warning that looks like a bug to me:
> 
> ------------------------------------------
> Possible NULL-ptr deref (vc27053):
> @/work/projects/llvm/tools/Calysto/IfaceSpecs/clib.c:1823
> Bug: ??
> Explanation:
> 
> choose_dh (dh.c:111) calls fopen twice (@120). If the first call to
> fopen fails (returns NULL), but the second one succeeds, fgets (@129) is
> called with f==NULL.

I don't follow.  If the second call to fopen succeeds, f is a valid FILE 
pointer returned by the second fopen call, not NULL.  If both fail, the 
function logs a warning,returns DH group 14 and never reaches the fgets.

120  if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
121      (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
122          logit("WARNING: %s does not exist, using fixed modulus",
123               _PATH_DH_MODULI);
124                  return (dh_new_group14());
125   }
126
127   linenum = 0;
128   best = bestcount = 0;
129   while (fgets(line, sizeof(line), f)) {

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list