Some potential bugs in Openssh-6.2p1

[Zhenbo Xu]

Hi,
I'm a developer of a static analysis tool canalyze.
Recently I applied it to Openssh-6.2p1.
It seems some reports are real after by manually checking:

1.  Use undefined value
file: dispatch.c
function: dispatch_run
At line 93: type = packet_read_poll_seqnr(&seqnr);
seqnr may not be override at
file: packet.c
function: packet_read_poll_seqnr
line 1442
where compat20 is 0.

2. Null Pointer
file: session.c
function: child_set_env
At line 962: if (*envp == NULL && *envsizep == 0)
Is it possible that *envp == NULL while *envsizep != 0?
If it is feasible, null pointer dereference would occur
At line 975: for (i = 0; env[i]; i++)
env is null.

3. Null Pointer
file: serverloop.c
function: server_loop2
At line 853: rekeying = (xxx_kex != NULL && !xxx_kex->done);
xxx_key may be null.

At line 871: xxx_kex->done = 0;
directly use xxx_key.

4. Null Pointer
file: sftp.c
function: parse_args
At line 1143: for (i = 0; cmds[i].c != NULL; i++) {
Could this loop breaks when cmds[i].c is null?
if so
At line 1148: cmd = cmds[i].c;
cmd is null, which is passed to strlen at line 1237.

5. Use after free
file: uidswap.c
function: temporarily_use_uid
At line 113: xfree(user_groups);
user_groups is freed and is used
at line 117: if (setgroups(user_groupslen, user_groups) < 0)
as a function argument.

6. Use After free
file: monitor.c
function:
At line 1219: debug3("%s: key %p is %s",
__func__, key, allowed ? "allowed" : "not allowed");
in which key is release at line 1198: key_free(key);

Hope for your replies!

Regards,

-- 
Zhenbo Xu