Bug 17484 - Cvs pserver segfaults when given an account with no password.
Summary: Cvs pserver segfaults when given an account with no password.
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: cvs   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-13 23:05 UTC by John Heidemann
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-14 17:47:26 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description John Heidemann 2000-09-13 23:05:49 UTC
(bug also sent to bug-cvs@gnu.org)

er-Id:   net
>Originator:     John Heidemann
>Organization:
net
>Confidential:  no
>Synopsis:      cvs pserver segfaults on systems where crypt doesn't handle
null pointers
>Severity:      serious
>Priority:      medium
>Category:      cvs
>Class:         sw-bug
>Release:       cvs-1.10.7
>Environment:
        <machine, os, target, libraries (multiple lines)>
System: Linux vir.isi.edu 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknow\
n
Architecture: i686
redhat-6.2 linux with RH-supplied upgrades

>Description:

Cvs pserver segfaults when given an account with no password.
On some systems like redhat 6.2, crypt(3) doesn't like being given
NULL string values and segfaults.  This causes anon cvs access to fail
if the account has no password.


>How-To-Repeat:

set up a cvs server with a passwd file containing only "anoncvs:".
Run "cvs -f --allow-root=/path/to/CVSROOT pserver"
and type this as standard input:

BEGIN VERIFICATION REQUEST
/path/to/CVSROOT
anoncvs
A
END VERIFICATION REQUEST

The following crash occurs:
	Program received signal SIGSEGV, Segmentation fault.
	strncmp (s1=0x4001fc00 "$1$", s2=0x0, n=3) at
../sysdeps/generic/strncmp.c:65
	65      ../sysdeps/generic/strncmp.c: No such file or directory.
	(gdb) bt
	#0  strncmp (s1=0x4001fc00 "$1$", s2=0x0, n=3)
	    at ../sysdeps/generic/strncmp.c:65
	#1  0x4001d15b in crypt (key=0x80cf640 "", salt=0x0)
	    at ../crypt/sysdeps/unix/crypt-entry.c:127
	#2  0x808898a in strcpy () at ../sysdeps/generic/strcpy.c:30
	#3  0x8088a15 in strcpy () at ../sysdeps/generic/strcpy.c:30
	#4  0x8088d03 in strcpy () at ../sysdeps/generic/strcpy.c:30
	#5  0x806c478 in strcpy () at ../sysdeps/generic/strcpy.c:30
	#6  0x4010a9cb in __libc_start_main (main=0x806bee0 <strcpy+136076>,
argc=4, 
	    argv=0xbffffb54, init=0x804a134, fini=0x80ab0ac <fstat+88>, 
	    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb4c)
	    at ../sysdeps/generic/libc-start.c:92

(apparently cvs was stripped so this is only the traceback in glibc).

>Fix:


The following patch fixes the problem by explicitly checking for null
passwords:

--- server.c-   Wed Sep 13 15:02:44 2000
+++ server.c    Wed Sep 13 15:51:13 2000
@@ -5229,6 +5229,7 @@
     if (fclose (fp) < 0)
        error (0, errno, "cannot close %s", filename);
 
+    *host_user_ptr = NULL;
     /* If found_it != 0, then linebuf contains the information we need. */
     if (found_it)
     {
@@ -5240,23 +5241,20 @@
        if (host_user_tmp == NULL)
             host_user_tmp = username;
 
-       if (strcmp (found_password, crypt (password, found_password)) == 0)
-        {
-            /* Give host_user_ptr permanent storage. */
-            *host_user_ptr = xstrdup (host_user_tmp);
+       /* if both are empty, match (avoid passing NULLs to crypt)
+          if only one is empty, fail,
+          otherwise try to match. */
+       if ((!password || strlen(password) == 0) && (!found_password ||
strlen(found_password) == 0))
+               retval = 1;
+        else if (!password || strlen(password) == 0 || !found_password ||
strlen(found_password) == 0)
+           retval = 2;
+       else if (strcmp (found_password, crypt (password, found_password))
== 0)
            retval = 1;
-        }
-       else
-        {
-            *host_user_ptr = NULL;
-           retval         = 2;
-        }
-    }
-    else
-    {
-       *host_user_ptr = NULL;
-       retval = 0;
+       else retval = 2;
+        if (retval == 1) /* Give host_user_ptr permanent storage. */
+           *host_user_ptr = xstrdup(host_user_tmp);
     }
+    else retval = 0;
 
     free (filename);
     if (linebuf)

Comment 1 John Heidemann 2000-09-14 17:47:22 UTC
according to the cvs maintainers this bug is fixed in cvs-1.10.8
(and that's actually in the RH 7.0 beta), so this bug report should be changed
to resovled


Note You need to log in before you can comment on or make changes to this bug.