Vulnerability Development mailing list archives
openssh vulnerability
From: Diode Trnasistor <ffddfe () yahoo com>
Date: Tue, 16 Sep 2003 07:49:33 -0700 (PDT)
In case you haven't been following it, on full disclosure there's been some mention of a new ssh vulnerability. The vulnerability is allegedly in the following sniplet of code taken from buffer.c file of openssh distrib: void * buffer_append_space(Buffer *buffer, u_int len) { void *p; if (len > 0x100000) fatal("buffer_append_space: len %u not supported",len); /* If the buffer is empty, start using it from the beginning. */ if (buffer->offset == buffer->end) { buffer->offset = 0; buffer->end = 0; } restart: /* If there is enough space to store all data, store it now. */ if (buffer->end + len < buffer->alloc) { p = buffer->buf + buffer->end; buffer->end += len; return p; } /* * If the buffer is quite empty, but all data is at the end, move the * data to the beginning and retry. */ if (buffer->offset > buffer->alloc / 2) { memmove(buffer->buf, buffer->buf + buffer->offset, buffer->end - buffer->offset); buffer->end -= buffer->offset; buffer->offset = 0; goto restart; } /* Increase the size of the buffer and retry. */ buffer->alloc += len + 32768; if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", buffer->alloc); buffer->buf = xrealloc(buffer->buf, buffer->alloc); goto restart; /* NOTREACHED */ } The structure of Buffer struct is: typedef struct { u_char *buf; /* Buffer for data. */ u_int alloc; /* Number of bytes allocd */ u_int offset; /* Offset of first byte containing data. */ u_int end; /* Offset of last byte containing data. */ } Buffer; Now reading the code i can't seem to find anything wrong, but there is already a patch out! Patch is at: http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h Looking at patch they added a variable u_int newlen; And then at the very bottom where the xrealloc happens newlen = buffer->alloc + len + 32768; and finally: buffer->buf = xrealloc(buffer->buf, newlen); buffer->alloc = newlen; So all that's accomplished is not using the value inside the buffer to be reallocated as the number of bytes to allocate. It is now done with a new variable. Is anyone familiar with what happens when you use realloc like they are using originally (when using a value instead the structure to reallocate as the second value to realloc). I still fail to see how this is a security problem, and would like it if someone would explain it to me. Thanx :) __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- Cannot access memory at address 0x90909090 Ingram (Sep 11)
- Re: Cannot access memory at address 0x90909090 fr0stman (Sep 11)
- <Possible follow-ups>
- Re: Cannot access memory at address 0x90909090 DownBload (Sep 12)
- Re: Cannot access memory at address 0x90909090 . npguy (Sep 13)
- openssh vulnerability Diode Trnasistor (Sep 16)
- Re: openssh vulnerability Przemyslaw Frasunek (Sep 16)
- Re: openssh vulnerability Robert A. Seace (Sep 16)
- openssh vulnerability Diode Trnasistor (Sep 16)