[Bug 1795] New: An integer variable "num" in mm_answer_pam_query() is not initialized before used

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jul 13 19:11:19 EST 2010 

https://bugzilla.mindrot.org/show_bug.cgi?id=1795

           Summary: An integer variable "num" in mm_answer_pam_query() is
                    not initialized before used
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: bitman.zhou at centrify.com


An integer variable "num" in mm_answer_pam_query() is not
initialized before used if pam module has errors. This happens on HP-UX
where the gcc compiler doesn't do default initialization.

------ code ------

int
mm_answer_pam_query(int sock, Buffer *m)
{
        char *name, *info, **prompts;
        u_int i, num, *echo_on;   <== num is not initialized and could
be a random large number
        int ret;

        debug3("%s", __func__);
        sshpam_authok = NULL;
        ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num,
&prompts, &echo_on);   <== num may not be altered in this call
        if (ret == 0 && num == 0)
                sshpam_authok = sshpam_ctxt;
        if (num > 1 || name == NULL || info == NULL)
                ret = -1;
        buffer_clear(m);
        buffer_put_int(m, ret);
        buffer_put_cstring(m, name);
        xfree(name);
        buffer_put_cstring(m, info);
        xfree(info);
        buffer_put_int(m, num);
        for (i = 0; i < num; ++i) { 
                buffer_put_cstring(m, prompts[i]);  <== fail here!
                xfree(prompts[i]);
                buffer_put_int(m, echo_on[i]);
        }


------- sshd debug log -----------

debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
buffer_put_cstring: s == NULL
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list