North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Heads up -- potential problems in 3.7, too? [Fwd: OpenSSH SecurityAdvisory: buffer.adv]
On Tue, 16 Sep 2003 [email protected] wrote: > I hope you mean OpenSSH 3.7p1 ? No, he means 3.7.1. There was another release today. bye, ken emery > On Tue, 16 Sep 2003, Alex Lambert wrote: > > > > > 3.7.1 was just released. > > > > Two patches for similar issues in a very short timeframe. Who do they > > think they are -- Microsoft? <grin> > > > > > > > > > > apl > > > > -------- Original Message -------- > > Subject: OpenSSH Security Advisory: buffer.adv > > Date: Wed, 17 Sep 2003 01:13:30 +0200 > > From: Markus Friedl <[email protected]> > > To: [email protected] > > > > This is the 2nd revision of the Advisory. > > > > This document can be found at: http://www.openssh.com/txt/buffer.adv > > > > 1. Versions affected: > > > > All versions of OpenSSH's sshd prior to 3.7.1 contain buffer > > management errors. It is uncertain whether these errors are > > potentially exploitable, however, we prefer to see bugs > > fixed proactively. > > > > Other implementations sharing common origin may also have > > these issues. > > > > 2. Solution: > > > > Upgrade to OpenSSH 3.7.1 or apply the following patch. > > > > =================================================================== > > Appendix A: patch for OpenSSH 3.6.1 and earlier > > > > Index: buffer.c > > =================================================================== > > RCS file: /cvs/src/usr.bin/ssh/buffer.c,v > > retrieving revision 1.16 > > retrieving revision 1.18 > > diff -u -r1.16 -r1.18 > > --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 > > +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 > > @@ -23,8 +23,11 @@ > > void > > buffer_init(Buffer *buffer) > > { > > - buffer->alloc = 4096; > > - buffer->buf = xmalloc(buffer->alloc); > > + const u_int len = 4096; > > + > > + buffer->alloc = 0; > > + buffer->buf = xmalloc(len); > > + buffer->alloc = len; > > buffer->offset = 0; > > buffer->end = 0; > > } > > @@ -34,8 +37,10 @@ > > void > > buffer_free(Buffer *buffer) > > { > > - memset(buffer->buf, 0, buffer->alloc); > > - xfree(buffer->buf); > > + if (buffer->alloc > 0) { > > + memset(buffer->buf, 0, buffer->alloc); > > + xfree(buffer->buf); > > + } > > } > > > > /* > > @@ -69,6 +74,7 @@ > > void * > > buffer_append_space(Buffer *buffer, u_int len) > > { > > + u_int newlen; > > void *p; > > > > if (len > 0x100000) > > @@ -98,11 +104,13 @@ > > goto restart; > > } > > /* Increase the size of the buffer and retry. */ > > - buffer->alloc += len + 32768; > > - if (buffer->alloc > 0xa00000) > > + > > + newlen = buffer->alloc + len + 32768; > > + if (newlen > 0xa00000) > > fatal("buffer_append_space: alloc %u not supported", > > - buffer->alloc); > > - buffer->buf = xrealloc(buffer->buf, buffer->alloc); > > + newlen); > > + buffer->buf = xrealloc(buffer->buf, newlen); > > + buffer->alloc = newlen; > > goto restart; > > /* NOTREACHED */ > > } > > Index: channels.c > > =================================================================== > > RCS file: /cvs/src/usr.bin/ssh/channels.c,v > > retrieving revision 1.194 > > retrieving revision 1.195 > > diff -u -r1.194 -r1.195 > > --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 > > +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 > > @@ -228,12 +228,13 @@ > > if (found == -1) { > > /* There are no free slots. Take last+1 slot and expand the array. */ > > found = channels_alloc; > > - channels_alloc += 10; > > if (channels_alloc > 10000) > > fatal("channel_new: internal error: channels_alloc %d " > > "too big.", channels_alloc); > > + channels = xrealloc(channels, > > + (channels_alloc + 10) * sizeof(Channel *)); > > + channels_alloc += 10; > > debug2("channel: expanding %d", channels_alloc); > > - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); > > for (i = found; i < channels_alloc; i++) > > channels[i] = NULL; > > } > > > > > > =================================================================== > > Appendix B: patch for OpenSSH 3.7 > > > > Index: buffer.c > > =================================================================== > > RCS file: /cvs/src/usr.bin/ssh/buffer.c,v > > retrieving revision 1.17 > > retrieving revision 1.18 > > diff -u -r1.17 -r1.18 > > --- buffer.c 16 Sep 2003 03:03:47 -0000 1.17 > > +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 > > @@ -23,8 +23,11 @@ > > void > > buffer_init(Buffer *buffer) > > { > > - buffer->alloc = 4096; > > - buffer->buf = xmalloc(buffer->alloc); > > + const u_int len = 4096; > > + > > + buffer->alloc = 0; > > + buffer->buf = xmalloc(len); > > + buffer->alloc = len; > > buffer->offset = 0; > > buffer->end = 0; > > } > > @@ -34,8 +37,10 @@ > > void > > buffer_free(Buffer *buffer) > > { > > - memset(buffer->buf, 0, buffer->alloc); > > - xfree(buffer->buf); > > + if (buffer->alloc > 0) { > > + memset(buffer->buf, 0, buffer->alloc); > > + xfree(buffer->buf); > > + } > > } > > > > /* > > Index: channels.c > > =================================================================== > > RCS file: /cvs/src/usr.bin/ssh/channels.c,v > > retrieving revision 1.194 > > retrieving revision 1.195 > > diff -u -r1.194 -r1.195 > > --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 > > +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 > > @@ -228,12 +228,13 @@ > > if (found == -1) { > > /* There are no free slots. Take last+1 slot and expand the array. */ > > found = channels_alloc; > > - channels_alloc += 10; > > if (channels_alloc > 10000) > > fatal("channel_new: internal error: channels_alloc %d " > > "too big.", channels_alloc); > > + channels = xrealloc(channels, > > + (channels_alloc + 10) * sizeof(Channel *)); > > + channels_alloc += 10; > > debug2("channel: expanding %d", channels_alloc); > > - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); > > for (i = found; i < channels_alloc; i++) > > channels[i] = NULL; > > } > > > > =================================================================== > > > > > > > > > > James Smallacombe PlantageNet, Inc. CEO and Janitor > [email protected] http://3.am > ========================================================================= >
|