Re: SSH deja vu

[Michal Zalewski <lcamtuf () coredump cx>]

On Wed, 24 Oct 2001, Lucian Hudin wrote:

> I don't know about any teso exploit, but what I want to mention is
> that I rememeber studying this problem myself and I've found that the
> crc32 bug doesn't manifest under operating systems that return NULL on
> realloc(ptr, 0); So if the exploit is based on the fact that
> realloc(ptr, 0) will NOT return NULL, Linux & W2k (systems I have
> access on) were never actually vulnerable.

Very interesting conclusion - but certainly wrong. Actually, modern
systems usually allow you to allocate zero-sized "placeholders", and
Linux, *BSD and (IIRC) Solaris follow this rule. Two proof-of-concepts
exploits were already published on BUGTRAQ, numerous others - developed
for not so broad audience.

>  The Linux realloc manual says :
>  "realloc() returns a pointer to the newly allocated memory, which is
>  suitably aligned  for  any  kind  of variable  and  may  be  different
>  from ptr, or NULL if the request fails or if size was equal to 0.

The manual page is wrong. This is not the behavior of recent glibc
releases.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/