Bug 22307

Summary: ssh dumps core if fields in password entry are empty
Product: Base System Reporter: brandt <brandt>
Component: binAssignee: Brian Feldman <green>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.0-CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description brandt 2000-10-26 11:00:01 UTC 
	If one gets the passwords over NIS the pw_class in
	struct passwd may be empty (contain a NULL).
	Openssh calls xstrdup on pw_class. xstrdup doesn't check
	for NULL pointers beeing passed and ssh/sshd dumps core.
	Calling ssh for local accounts (like root) works ok.
	This fix seems (probably) to be introduced with the nsswitch import.

	While I'm in ssh.c: the strcpy on pw_class is called twice. This
	is obviously a memory leak.

Fix: 

Don't call xstrcpy in ssh.c:516 if pw_class is NULL. Remove
	ssh.c:519. Alternatively fix getpwent to always set pw_class.
How-To-Repeat: 
	Configure your nsswitch.conf to get the passwords from a Solaris
	NIS server. Call ssh <host> from one of the NIS accounts.
Comment 1 Brian Somers freebsd_committer freebsd_triage 2000-11-01 00:08:25 UTC 
Responsible Changed
From-To: freebsd-bugs->kris

I submitted a patch to kris a while ago for this....
Comment 2 Kris Kennaway freebsd_committer freebsd_triage 2000-11-13 02:28:12 UTC 
Responsible Changed
From-To: kris->green

Green is taking over OpenSSH
Comment 3 Brian Feldman freebsd_committer freebsd_triage 2001-02-19 21:48:39 UTC 
State Changed
From-To: open->closed

The problem was actually that pw_class should never be NULL in any 
case, so working around it in ssh is a bad idea.  Thanks for the 
report.