sftp: avoid leaking path arg in calls to make_absolute_pwd_glob
ClosedPublic
Actions

Authored by emaste on Nov 3 2022, 5:28 PM.

Details

Reviewers

Commits

rG52503c4477cc: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob
rG533a942a213c: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob
rG69c72a57af84: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob

Summary

As Coverity reports:
    Overwriting tmp in tmp = make_absolute_pwd_glob(tmp, remote_path)
    leaks the storage that tmp points to.

Consume the first arg in make_absolute_pwd_glob, and add xstrdup() to
the one case which did not assign to the same variable that was passed
in.

Reported by:    Coverity Scan
CID:            1500409
Sponsored by:   The FreeBSD Foundation
Differential Revision:

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

emaste requested review of this revision.Nov 3 2022, 5:28 PM

emaste created this revision.

markj added inline comments.Nov 3 2022, 9:07 PM

crypto/openssh/sftp.c
624	The const qualifier on `*p` has to be dropped too.

update from @markj

markj accepted this revision.Nov 4 2022, 2:19 PM

This revision is now accepted and ready to land.Nov 4 2022, 2:19 PM

rebase after 9.3p1 update, which included a fix for this same issue reported by upstream

commit 36c6c3eff5e4a669ff414b9daf85f919666e8e03
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Wed Mar 8 06:21:32 2023 +0000

    upstream: Plug mem leak. Coverity CID 405196, ok djm@
    
    OpenBSD-Commit-ID: 175f09349387c292f626da68f65f334faaa085f2

diff --git a/sftp.c b/sftp.c
index 3a2525462..4a3774421 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.227 2023/03/08 04:43:12 guenther Exp $ */
+/* $OpenBSD: sftp.c,v 1.228 2023/03/08 06:21:32 dtucker Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -1997,7 +1997,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 
        memset(&g, 0, sizeof(g));
        if (remote != LOCAL) {
-               tmp = make_absolute_pwd_glob(tmp, remote_path);
+               tmp2 = make_absolute_pwd_glob(tmp, remote_path);
+               free(tmp);
+               tmp = tmp2;
                remote_glob(conn, tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g);
        } else
                glob(tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g);

This revision now requires review to proceed.Mar 21 2023, 7:01 PM

Note that this patch was proposed upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-November/040497.html but received no response.
I followed up with a link to the updated patch here, in https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-March/040655.html

So that upstream commit fixed only one of the leaks, right?

This patch looks good. It gives make_absolute() and make_absolute_pwd_glob() have the same semantics wrt freeing the input string.

This revision is now accepted and ready to land.Mar 22 2023, 1:59 PM

So that upstream commit fixed only one of the leaks, right?

Yes - in a FreeBSD run Coverity reported only a single instance of the leak, but I fixed the general issue. I suspect Coverity gave the same report to OpenBSD and they fixed only the single instance.

Closed by commit rG69c72a57af84: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob (authored by emaste). · Explain WhyMar 22 2023, 3:05 PM

This revision was automatically updated to reflect the committed changes.

emaste added a commit: rG69c72a57af84: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob.

Herald added a subscriber: imp. · View Herald TranscriptMar 22 2023, 3:05 PM

emaste added a commit: rG533a942a213c: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob.Apr 21 2023, 1:47 PM

emaste added a commit: rG52503c4477cc: sftp: avoid leaking path arg in calls to make_absolute_pwd_glob.Jun 6 2023, 12:46 PM