Bug 17484 - Cvs pserver segfaults when given an account with no password.
Cvs pserver segfaults when given an account with no password.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: cvs (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-13 19:05 EDT by John Heidemann
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-14 13:47:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Heidemann 2000-09-13 19:05:49 EDT
(bug also sent to bug-cvs@gnu.org)

er-Id:   net
>Originator:     John Heidemann
>Organization:
net
>Confidential:  no
>Synopsis:      cvs pserver segfaults on systems where crypt doesn't handle
null pointers
>Severity:      serious
>Priority:      medium
>Category:      cvs
>Class:         sw-bug
>Release:       cvs-1.10.7
>Environment:
        <machine, os, target, libraries (multiple lines)>
System: Linux vir.isi.edu 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknow\
n
Architecture: i686
redhat-6.2 linux with RH-supplied upgrades

>Description:

Cvs pserver segfaults when given an account with no password.
On some systems like redhat 6.2, crypt(3) doesn't like being given
NULL string values and segfaults.  This causes anon cvs access to fail
if the account has no password.


>How-To-Repeat:

set up a cvs server with a passwd file containing only "anoncvs:".
Run "cvs -f --allow-root=/path/to/CVSROOT pserver"
and type this as standard input:

BEGIN VERIFICATION REQUEST
/path/to/CVSROOT
anoncvs
A
END VERIFICATION REQUEST

The following crash occurs:
	Program received signal SIGSEGV, Segmentation fault.
	strncmp (s1=0x4001fc00 "$1$", s2=0x0, n=3) at
../sysdeps/generic/strncmp.c:65
	65      ../sysdeps/generic/strncmp.c: No such file or directory.
	(gdb) bt
	#0  strncmp (s1=0x4001fc00 "$1$", s2=0x0, n=3)
	    at ../sysdeps/generic/strncmp.c:65
	#1  0x4001d15b in crypt (key=0x80cf640 "", salt=0x0)
	    at ../crypt/sysdeps/unix/crypt-entry.c:127
	#2  0x808898a in strcpy () at ../sysdeps/generic/strcpy.c:30
	#3  0x8088a15 in strcpy () at ../sysdeps/generic/strcpy.c:30
	#4  0x8088d03 in strcpy () at ../sysdeps/generic/strcpy.c:30
	#5  0x806c478 in strcpy () at ../sysdeps/generic/strcpy.c:30
	#6  0x4010a9cb in __libc_start_main (main=0x806bee0 <strcpy+136076>,
argc=4, 
	    argv=0xbffffb54, init=0x804a134, fini=0x80ab0ac <fstat+88>, 
	    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb4c)
	    at ../sysdeps/generic/libc-start.c:92

(apparently cvs was stripped so this is only the traceback in glibc).

>Fix:


The following patch fixes the problem by explicitly checking for null
passwords:

--- server.c-   Wed Sep 13 15:02:44 2000
+++ server.c    Wed Sep 13 15:51:13 2000
@@ -5229,6 +5229,7 @@
     if (fclose (fp) < 0)
        error (0, errno, "cannot close %s", filename);
 
+    *host_user_ptr = NULL;
     /* If found_it != 0, then linebuf contains the information we need. */
     if (found_it)
     {
@@ -5240,23 +5241,20 @@
        if (host_user_tmp == NULL)
             host_user_tmp = username;
 
-       if (strcmp (found_password, crypt (password, found_password)) == 0)
-        {
-            /* Give host_user_ptr permanent storage. */
-            *host_user_ptr = xstrdup (host_user_tmp);
+       /* if both are empty, match (avoid passing NULLs to crypt)
+          if only one is empty, fail,
+          otherwise try to match. */
+       if ((!password || strlen(password) == 0) && (!found_password ||
strlen(found_password) == 0))
+               retval = 1;
+        else if (!password || strlen(password) == 0 || !found_password ||
strlen(found_password) == 0)
+           retval = 2;
+       else if (strcmp (found_password, crypt (password, found_password))
== 0)
            retval = 1;
-        }
-       else
-        {
-            *host_user_ptr = NULL;
-           retval         = 2;
-        }
-    }
-    else
-    {
-       *host_user_ptr = NULL;
-       retval = 0;
+       else retval = 2;
+        if (retval == 1) /* Give host_user_ptr permanent storage. */
+           *host_user_ptr = xstrdup(host_user_tmp);
     }
+    else retval = 0;
 
     free (filename);
     if (linebuf)
Comment 1 John Heidemann 2000-09-14 13:47:22 EDT
according to the cvs maintainers this bug is fixed in cvs-1.10.8
(and that's actually in the RH 7.0 beta), so this bug report should be changed
to resovled

Note You need to log in before you can comment on or make changes to this bug.