Bug 290956 - sftp-server needs to check if localtime(3) has failed and must not pass a NULL pointer to strftime(3)
Summary: sftp-server needs to check if localtime(3) has failed and must not pass a NUL...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 16.0-CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on: 288773
Blocks:
  Show dependency treegraph
 
Reported: 2025-11-11 16:51 UTC by Wolfram Schneider
Modified: 2025-11-17 16:24 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schneider freebsd_committer freebsd_triage 2025-11-11 16:51:18 UTC 
sftp-server needs to check whether localtime() has failed and must not pass a NULL pointer to strftime() - this would lead to a segfault crash.

cd freebsd-src/crypto/openssh
git grep -B 1 -n localtime sftp-server.c

sftp-server.c-1015-             strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
sftp-server.c:1016:                 localtime(&t));
--
sftp-server.c-1072-                     strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
sftp-server.c:1073:                         localtime(&t));
--
sftp-server.c-1495-             strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
sftp-server.c:1496:                 localtime(&t));
Comment 1 Ed Maste freebsd_committer freebsd_triage 2025-11-11 17:23:39 UTC 
Can you submit this one upstream as well?

Also curious about the discovery -- do you have a case that fails, or is this just by inspection?