Bugtraq mailing list archives
Re: SSH deja vu
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 23 Oct 2001 19:11:01 -0400 (EDT)
On Wed, 24 Oct 2001, Lucian Hudin wrote:
I don't know about any teso exploit, but what I want to mention is that I rememeber studying this problem myself and I've found that the crc32 bug doesn't manifest under operating systems that return NULL on realloc(ptr, 0); So if the exploit is based on the fact that realloc(ptr, 0) will NOT return NULL, Linux & W2k (systems I have access on) were never actually vulnerable.
Very interesting conclusion - but certainly wrong. Actually, modern systems usually allow you to allocate zero-sized "placeholders", and Linux, *BSD and (IIRC) Solaris follow this rule. Two proof-of-concepts exploits were already published on BUGTRAQ, numerous others - developed for not so broad audience.
The Linux realloc manual says : "realloc() returns a pointer to the newly allocated memory, which is suitably aligned for any kind of variable and may be different from ptr, or NULL if the request fails or if size was equal to 0.
The manual page is wrong. This is not the behavior of recent glibc releases. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- SSH deja vu Max Parke (Oct 23)
- Re: SSH deja vu Michal Zalewski (Oct 23)
- Re: SSH deja vu Lucian Hudin (Oct 23)
- Re: SSH deja vu Michal Zalewski (Oct 23)
- Re: SSH deja vu Lucian Hudin (Oct 23)
- Re: SSH deja vu Michal Zalewski (Oct 23)