gpg-agent from gnupg-2.0.17 crashes when trying to add ECDSA key

Nico n-roeser at
Sat Jun 18 11:40:40 CEST 2011


When I try to add an ECDSA key to a running gpg-agent, the agent crashes:

$ eval `LC_ALL=POSIX gpg-agent --daemon --debug-all --enable-ssh-support`
gpg-agent[6688]: NOTE: no default option file
gpg-agent[6688]: enabled debug flags: command mpi crypto memory cache
memstat hashing assuan
gpg-agent[6688]: listening on socket `/tmp/gpg-zuZIze/S.gpg-agent'
gpg-agent[6688]: listening on socket `/tmp/gpg-rOACBd/S.gpg-agent.ssh'
gpg-agent[6689]: gpg-agent (GnuPG) 2.0.17 started
$ LC_ALL=POSIX ssh-add /tmp/testkey
gpg-agent[6689]: ssh handler 0x9a9a328 for fd 7 started
gpg-agent[6689]: ssh request handler for add_identity (17) started
*** glibc detected *** gpg-agent: free(): invalid pointer: 0x080801ad ***
Error reading response length from authentication socket.
Could not add identity: /tmp/testkey

The bug is triggered in gnupg-2.0.17/agent/command-ssh.c, line 1410,
which says ‘xfree (comment);’.

Here is a (forced) backtrace (I added code to divide by zero), in order
to see what functions were called before it crashed. Ignore the line
numbers, as I added some debugging output.

#0  0x08055184 in ssh_receive_key (stream=<value optimized out>,
key_new=0xb765bf1c, secret=1, read_comment=1, key_spec=0x0) at
#1  0x08055cec in ssh_handler_add_identity (ctrl=0x80dc258,
request=0x80debd8, response=0x80e0cb8) at command-ssh.c:2536
#2  0x08057d5d in ssh_request_process (ctrl=0x80dc258, sock_client=7) at
#3  start_command_handler_ssh (ctrl=0x80dc258, sock_client=7) at
#4  0x0804e097 in start_connection_thread_ssh (arg=0x80dc258) at
#5  0xb77f2d89 in pth_spawn_trampoline () at pth_lib.c:216
#6  0xb769f01b in makecontext () at
#7  0xbff83768 in ?? ()
#8  0x00000000 in ?? ()

A quick look at the ssh_key_types structure in command-ssh.c (lines 218
ff.) suggests that gpg-agent does not yet support ECDSA keys; is that
right? Nevertheless, it should not crash, but rather return some kind of
informative message or so.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110618/afa6ef49/attachment.pgp>

More information about the Gnupg-devel mailing list