[Developers] SSHKeychain crashes after waking laptop (PATCH)

Brion Vibber brion at pobox.com
Thu Dec 28 21:57:28 CET 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[resending as I wasn't subscribed properly]

I've been experiencing intermittent crashes of SSHKeychain on my MacBook
when waking from sleep. (SSHKeychain built from SVN source, as there's
no Intel release yet.)

It dies in [Controller askPassphrase:withInteraction:] at line 453,
trying to deref a bogus string.

I think the crash is caused by the combination of:

* kcPassword and passwordLength are not initialized
* returnStatus is initialized to noErr
* interactive is NO, so only unlocked keychains are checked
* all my keychains are locked because I've just woken up the machine

returnStatus is never actually set because no actual checks occur... but
since it's noErr, the garbage values in kcPassword and passwordLength
get dereferenced, and the program crashes.


The bug seems pretty easily reproducible for me:
* Wake from sleep into a relatively fresh state
* Start SSHKeychain
* ssh to something and type in key passphrase in the box
* Put machine to sleep
* Wake from sleep
* At this point we find that SSHKeychain has crashed.

I'm working around it by initializing returnStatus to -1, so if no
checks are ever run at least it won't try to dereference the bogus password.

One-line patch attached.

I've also made a Universal build, briefly tested to make sure it also
runs on PPC:
http://leuksman.com/mac/keychain/SSHKeychain.zip

- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFlC+4wRnhpk1wk44RAkz0AJoDLKUw83CF27mzUS03YhsBuAH7iwCgswwP
nDtFeJ+DNgAxdkLsS4VXvIg=
=99FZ
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: Controller.m
===================================================================
--- Controller.m	(revision 95)
+++ Controller.m	(working copy)
@@ -350,7 +350,7 @@
 	char *kcPassword;
 	UInt32 passwordLength;
 	SecKeychainStatus keychainStatus;
-	OSStatus returnStatus = noErr;
+	OSStatus returnStatus = -1; /* Don't set to noErr or we can crash if nothing is ever checked */
 	SecKeychainRef keychain;
 
 	CFArrayRef searchList;

More information about the developers mailing list