Mailing List Archive

[PATCH] Fixes null pointer dereference in do_setup_env().
There is a wrong usage of strchr() in openssh. strchr() shall return a
null pointer if the char was not found. Check whether return value is
NULL instead of dereferencing it.

Signed-off-by: Jubin Zhong <zhongjubin@huawei.com>
---
session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/session.c b/session.c
index b25cbca..9e9d5fe 100644
--- a/session.c
+++ b/session.c
@@ -1105,7 +1105,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
for (n = 0 ; n < auth_opts->nenv; n++) {
ocp = xstrdup(auth_opts->env[n]);
cp = strchr(ocp, '=');
- if (*cp == '=') {
+ if (cp != NULL) {
*cp = '\0';
/* Apply PermitUserEnvironment allowlist */
if (options.permit_user_env_allowlist == NULL ||
--
1.8.5.6

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [PATCH] Fixes null pointer dereference in do_setup_env(). [ In reply to ]
On Sat, 28 Nov 2020, Jubin Zhong wrote:

> There is a wrong usage of strchr() in openssh. strchr() shall return a
> null pointer if the char was not found. Check whether return value is
> NULL instead of dereferencing it.

Applied - thanks. In this case, cp==NULL should not be possible as the
auth_opts->env entries are guaranteed to contain '=' by auth-options.c

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev