Hi, I wrote a patch to improve sending struct passwd value. And I believe one ToDo comment will be finished. When ssh forks child process for authentication, parent process proxies pwnamallow() execution in mm_answer_pwnamallow(). Through this proxy, struct passwd values are sent via UNIX domain socket. That includes pointer values because whole structure memory is copied by memcpy() . Fortunately all pointer members are replaced by actual strings (e.g. pw_name, pw_passwd, ...) for now. But if a new pointer member is added, it will never be rewritten and can be a wild pointer. My patch avoids this. Take a look at my GitHub pull request to see my patch. https://github.com/openssh/openssh-portable/pull/216 Thank you! -- Yuichiro NAITO (naito.yuichiro@xxxxxxxxx) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
