On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> Indeed. It looks like a bug in the libc resolver rather than sshd, though.
> I've been kinda busy recently so I haven't kept up with recent changes so
> I'm not sure exactly what's changed in there. Looks like it should be
> readily reproducible outside of sshd with a call to getnameinfo().
It's a null pointer deref. Without understanding the surrounding code,
the following naive diff fixes it for me.
Eric?
Index: libc/asr/gethostnamadr_async.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/gethostnamadr_async.c,v
retrieving revision 1.28
diff -u -p -r1.28 gethostnamadr_async.c
--- libc/asr/gethostnamadr_async.c 26 Mar 2014 18:13:15 -0000 1.28
+++ libc/asr/gethostnamadr_async.c 12 May 2014 20:46:54 -0000
@@ -577,6 +577,8 @@ hostent_set_cname(struct hostent_ext *h,
name = buf;
}
+ if (name == NULL)
+ return (-1);
n = strlen(name) + 1;
if (h->pos + n >= h->end)
return (-1);
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
