Invalid memory access / read stack overflow when reading config with zero bytes
Damien Miller
djm at mindrot.org
Mon Mar 30 10:43:18 AEDT 2015
On Mon, 30 Mar 2015, Damien Miller wrote:
> On Mon, 30 Mar 2015, Hanno B?ck wrote:
>
> > On Mon, 30 Mar 2015 09:19:02 +1100 (AEDT)
> > Damien Miller <djm at mindrot.org> wrote:
> >
> > > What version of OpenSSH is this?
> >
> > 6.8 portable on Linux.
>
> That's strange - the line numbers in the valgrind stack trace don't
> match. E.g.
>
> ==5578== at 0x4C2CFCA: __GI_strchr (in
> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==5578== by 0x117B6B: process_config_line (readconf.c:785)
> ==5578== by 0x119DED: read_config_file (readconf.c:1633)
reproduced; the line numbers were wrong.
diff --git a/readconf.c b/readconf.c
index 42a2961..5130407 100644
--- a/readconf.c
+++ b/readconf.c
@@ -763,7 +763,9 @@ process_config_line(Options *options, struct passwd *pw, const char *host,
}
/* Strip trailing whitespace */
- for (len = strlen(line) - 1; len > 0; len--) {
+ if ((len = strlen(line)) == 0)
+ return 0;
+ for (len--; len > 0; len--) {
if (strchr(WHITESPACE, line[len]) == NULL)
break;
line[len] = '\0';
More information about the openssh-unix-dev
mailing list