Bug 1539 - double-free when failing to parse a forwarding specification given using ~C
Summary: double-free when failing to parse a forwarding specification given using ~C
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 5.1p1
Hardware: ix86 Linux
: P2 normal
Assignee: Assigned to nobody
URL: http://bugs.debian.org/cgi-bin/bugrep...
Keywords:
: 1548 (view as bug list)
Depends on:
Blocks: V_5_2
  Show dependency treegraph
 
Reported: 2008-11-24 01:42 AEDT by Colin Watson
Modified: 2009-02-23 13:36 AEDT (History)
2 users (show)

See Also:

Attachments
fix double-free if parsing forwarding specification fails (633 bytes, patch)
2008-11-24 01:42 AEDT, Colin Watson 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Watson 2008-11-24 01:42:42 AEDT 
Created attachment 1581 [details]
fix double-free if parsing forwarding specification fails

Arthur de Jong reported that ssh can be made to crash with a double-free as follows:

% ssh somehost
[...]
% ~C
ssh> -L *.80:localhost:80
Bad forwarding specification.
*** glibc detected *** ssh: double free or corruption (fasttop): 0xb95431b0 ***

This is because parse_forward frees fwd->connect_host and fwd->listen_host but doesn't set them to NULL, and so process_cmdline tries to free them again. Patch attached.
Comment 1 Damien Miller 2008-12-08 09:32:11 AEDT 
on the 5.2 list
Comment 2 Damien Miller 2008-12-09 14:13:06 AEDT 
patch applied, will be in openssh-5.2 - thanks!
Comment 3 Ian Gallagher 2009-01-07 07:59:27 AEDT 
*** Bug 1548 has been marked as a duplicate of this bug. ***
Comment 4 Damien Miller 2009-02-23 13:36:39 AEDT 
Close bugs fixed/reviewed for openssh-5.2 release