Date: Tue, 16 Sep 2003 11:35:00 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up Message-ID: <20030916163500.GA93908@madman.celabo.org> In-Reply-To: <200309161632.h8GGW1PC002728@apollo.backplane.com> References: <20030916134347.GA30359@madman.celabo.org> <20030916160543.GA28313@alaska.cert.siemens.de> <20030916161121.GA91300@madman.celabo.org> <200309161632.h8GGW1PC002728@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 16, 2003 at 09:32:01AM -0700, Matthew Dillon wrote: > I've been staring at the patch for 30 minutes and I can't figure > out what it is supposed to fix. Is there some other thread or > signal or something that might access the buffer while it's length > is in an indeterminant state? The code doesn't seem to be structured > for that case. Taken from my draft advisory to be released shortly: --- excerpt --- II. Problem Description When a packet is received that is larger than the space remaining in the currently allocated buffer, OpenSSH's buffer management attempts to reallocate a larger buffer. During this process, the recorded size of the buffer is increased. The new size is then range checked. If the range check fails, then fatal() is called to cleanup and exit. In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. --- excerpt --- Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030916163500.GA93908>