misc: Fix possible NULL dereference

thanks oss-fuzz https://issues.oss-fuzz.com/u/1/issues/482613826 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2026-02-11 18:50:28 +09:00 · 2026-02-09 10:50:19 +01:00
parent 6a7f19ec34
commit 60ad19c2c8
2 changed files with 43 additions and 5 deletions
--- a/src/misc.c
+++ b/src/misc.c
@@ -1264,6 +1264,7 @@ static char *get_connection_hash(ssh_session session)
    SHACTX ctx = sha1_init();
    char strport[10] = {0};
    unsigned int port;
+    char *username = NULL;
    int rc;

    if (session == NULL) {
@@ -1286,6 +1287,9 @@ static char *get_connection_hash(ssh_session session)
    SAFE_FREE(local_hostname);

    /* Remote hostname %h */
+    if (session->opts.host == NULL) {
+        goto err;
+    }
    rc = sha1_update(ctx, session->opts.host, strlen(session->opts.host));
    if (rc != SSH_OK) {
        goto err;
@@ -1300,9 +1304,18 @@ static char *get_connection_hash(ssh_session session)
    }

    /* The remote username %r */
-    rc = sha1_update(ctx,
-                     session->opts.username,
-                     strlen(session->opts.username));
+    username = session->opts.username;
+    if (username == NULL) {
+        /* fallback to local username: it will be used if not explicitly set */
+        username = ssh_get_local_username();
+        if (username == NULL) {
+            goto err;
+        }
+    }
+    rc = sha1_update(ctx, username, strlen(username));
+    if (username != session->opts.username) {
+        free(username);
+    }
    if (rc != SSH_OK) {
        goto err;
    }
--- a/tests/client/torture_client_config.c
+++ b/tests/client/torture_client_config.c
@@ -238,6 +238,31 @@ static void torture_client_config_suppress(void **state)
    assert_string_equal(s->ssh.session->opts.username, "bob");
 }

+static void torture_client_config_expand_bad(void **state)
+{
+    ssh_session session = ssh_new();
+    int ret = 0;
+
+    (void)state;
+
+    assert_non_null(session);
+
+    /* The hash without host fails, but does not crash */
+    ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, "%C");
+
+    ret = ssh_options_apply(session);
+    assert_ssh_return_code_equal(session, ret, SSH_ERROR);
+
+    /* The hash without host fails, but does not crash */
+    ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
+    ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, "%C");
+
+    ret = ssh_options_apply(session);
+    assert_ssh_return_code_equal(session, ret, SSH_OK);
+
+    ssh_free(session);
+}
+
 static void torture_client_config_expand(void **state)
 {
    struct torture_state *s = *state;
@@ -434,8 +459,9 @@ static void torture_client_config_expand(void **state)
 int torture_run_tests(void) {
    int rc;
    struct CMUnitTest tests[] = {
-        /* Keep this first -- following setup is changing user to bob, which we
+        /* Keep these first -- following setup is changing user to bob, which we
         * do not want */
+        cmocka_unit_test(torture_client_config_expand_bad),
        cmocka_unit_test_setup_teardown(torture_client_config_expand,
                                        setup_session,
                                        teardown_session),
@@ -453,7 +479,6 @@ int torture_run_tests(void) {
                                        teardown),
    };

-
    ssh_init();
    torture_filter_tests(tests);
    rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);