[Bug 2535] New: Undefined behaviour of *printf in DISPLAY handling code

Mon Feb 1 19:39:47 AEDT 2016

https://bugzilla.mindrot.org/show_bug.cgi?id=2535

            Bug ID: 2535
           Summary: Undefined behaviour of *printf in DISPLAY handling
                    code
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Upstream commit [1] changed logic of handling errors of DISPLAY
variable and introduced undefined behaviour.

When client requests X11 forwarding and does not have DISPLAY variable
set, getenv returns NULL (ssh.c:1707), the program gets into
client_x11_get_proto() function, where the variable is passed directly
to logit function as it is (clientloop.c:321).

This case is handled by current GCC and therefore not causing segfault
but writing

    DISPLAY "(null)" invalid; disabling X11 forwarding

It is not correct and should be fixed. Preferably by not going into
this branch in ssh.c:1710, because there is already one check for NULL
in previous condition.

Originally reported as rhbz#1303260 [2].

[1]
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1303260

-- 
You are receiving this mail because:
You are watching the assignee of the bug.