On Mon, May 12, 2014 at 09:25:45PM +0000, Florian Obser wrote:
> On Tue, May 13, 2014 at 06:51:16AM +1000, Darren Tucker wrote:
> > On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> > > Indeed. It looks like a bug in the libc resolver rather than sshd,
> > > though.
> > > I've been kinda busy recently so I haven't kept up with recent changes so
> > > I'm not sure exactly what's changed in there. Looks like it should be
> > > readily reproducible outside of sshd with a call to getnameinfo().
> >
> > It's a null pointer deref. Without understanding the surrounding code,
> > the following naive diff fixes it for me.
> >
> > Eric?
>
> I think the bug is in hostent_file_match. The following diff has the
> advantage that this works in /etc/hosts:
>
> 192.0.2.1
> 192.0.2.1 foo
>
> $ getent hosts 192.0.2.1
> 192.0.2.1 foo
>
hm, maybe this is better:
diff --git gethostnamadr_async.c gethostnamadr_async.c
index 674bcb4..1c77bd9 100644
--- gethostnamadr_async.c
+++ gethostnamadr_async.c
@@ -440,6 +440,8 @@ hostent_file_match(FILE *f, int reqtype, int family, const
char *data,
goto found;
}
} else {
+ if (n < 2)
+ continue;
if (inet_pton(family, tokens[0], addr) == 1 &&
memcmp(addr, data, datalen) == 0)
goto found;
--
I'm not entirely sure you are real.
