On Tue, May 13, 2014 at 06:51:16AM +1000, Darren Tucker wrote:
> On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> > Indeed. It looks like a bug in the libc resolver rather than sshd, though.
> > I've been kinda busy recently so I haven't kept up with recent changes so
> > I'm not sure exactly what's changed in there. Looks like it should be
> > readily reproducible outside of sshd with a call to getnameinfo().
>
> It's a null pointer deref. Without understanding the surrounding code,
> the following naive diff fixes it for me.
>
> Eric?
I think the bug is in hostent_file_match. The following diff has the
advantage that this works in /etc/hosts:
192.0.2.1
192.0.2.1 foo
$ getent hosts 192.0.2.1
192.0.2.1 foo
diff --git gethostnamadr_async.c gethostnamadr_async.c
index 674bcb4..23d6c36 100644
--- gethostnamadr_async.c
+++ gethostnamadr_async.c
@@ -440,8 +440,8 @@ hostent_file_match(FILE *f, int reqtype, int family, const
char *data,
goto found;
}
} else {
- if (inet_pton(family, tokens[0], addr) == 1 &&
- memcmp(addr, data, datalen) == 0)
+ if (tokens[1] != NULL && inet_pton(family, tokens[0],
+ addr) == 1 && memcmp(addr, data, datalen) == 0)
goto found;
}
}
--
I'm not entirely sure you are real.
