[Bug 1539] New: double-free when failing to parse a forwarding specification given using ~C

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Nov 24 01:42:43 EST 2008


https://bugzilla.mindrot.org/show_bug.cgi?id=1539

           Summary: double-free when failing to parse a forwarding
                    specification given using ~C
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: ix86
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=50533
                    0
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: cjwatson at debian.org


Created an attachment (id=1581)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1581)
fix double-free if parsing forwarding specification fails

Arthur de Jong reported that ssh can be made to crash with a
double-free as follows:

% ssh somehost
[...]
% ~C
ssh> -L *.80:localhost:80
Bad forwarding specification.
*** glibc detected *** ssh: double free or corruption (fasttop):
0xb95431b0 ***

This is because parse_forward frees fwd->connect_host and
fwd->listen_host but doesn't set them to NULL, and so process_cmdline
tries to free them again. Patch attached.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list