OpenSSH heads-up
Jacques A. Vidrine
nectar at FreeBSD.org
Tue Sep 16 09:35:02 PDT 2003
On Tue, Sep 16, 2003 at 09:32:01AM -0700, Matthew Dillon wrote:
> I've been staring at the patch for 30 minutes and I can't figure
> out what it is supposed to fix. Is there some other thread or
> signal or something that might access the buffer while it's length
> is in an indeterminant state? The code doesn't seem to be structured
> for that case.
Taken from my draft advisory to be released shortly:
--- excerpt ---
II. Problem Description
When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management attempts
to reallocate a larger buffer. During this process, the recorded size
of the buffer is increased. The new size is then range checked. If
the range check fails, then fatal() is called to cleanup and exit.
In some cases, the cleanup code will attempt to zero and free the
buffer that just had its recorded size (but not actual allocation)
increased. As a result, memory outside of the allocated buffer will
be overwritten with NUL bytes.
III. Impact
A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.
--- excerpt ---
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-security
mailing list