North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Heads up -- potential problems in 3.7, too? [Fwd: OpenSSH SecurityAdvisory: buffer.adv]

  • From: ken emery
  • Date: Tue Sep 16 21:05:02 2003

On Tue, 16 Sep 2003 [email protected] wrote:

> I hope you mean OpenSSH 3.7p1 ?

No, he means 3.7.1.  There was another release today.

bye,
ken emery

> On Tue, 16 Sep 2003, Alex Lambert wrote:
>
> >
> > 3.7.1 was just released.
> >
> > Two patches for similar issues in a very short timeframe. Who do they
> > think they are -- Microsoft? <grin>
> >
> >
> >
> >
> > apl
> >
> > -------- Original Message --------
> > Subject: OpenSSH Security Advisory: buffer.adv
> > Date: Wed, 17 Sep 2003 01:13:30 +0200
> > From: Markus Friedl <[email protected]>
> > To: [email protected]
> >
> > This is the 2nd revision of the Advisory.
> >
> > This document can be found at:  http://www.openssh.com/txt/buffer.adv
> >
> > 1. Versions affected:
> >
> >          All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
> >          management errors.  It is uncertain whether these errors are
> >          potentially exploitable, however, we prefer to see bugs
> >          fixed proactively.
> >
> >          Other implementations sharing common origin may also have
> >          these issues.
> >
> > 2. Solution:
> >
> > 	Upgrade to OpenSSH 3.7.1 or apply the following patch.
> >
> > ===================================================================
> > Appendix A: patch for OpenSSH 3.6.1 and earlier
> >
> > Index: buffer.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
> > retrieving revision 1.16
> > retrieving revision 1.18
> > diff -u -r1.16 -r1.18
> > --- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
> > +++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
> > @@ -23,8 +23,11 @@
> >   void
> >   buffer_init(Buffer *buffer)
> >   {
> > -	buffer->alloc = 4096;
> > -	buffer->buf = xmalloc(buffer->alloc);
> > +	const u_int len = 4096;
> > +
> > +	buffer->alloc = 0;
> > +	buffer->buf = xmalloc(len);
> > +	buffer->alloc = len;
> >   	buffer->offset = 0;
> >   	buffer->end = 0;
> >   }
> > @@ -34,8 +37,10 @@
> >   void
> >   buffer_free(Buffer *buffer)
> >   {
> > -	memset(buffer->buf, 0, buffer->alloc);
> > -	xfree(buffer->buf);
> > +	if (buffer->alloc > 0) {
> > +		memset(buffer->buf, 0, buffer->alloc);
> > +		xfree(buffer->buf);
> > +	}
> >   }
> >
> >   /*
> > @@ -69,6 +74,7 @@
> >   void *
> >   buffer_append_space(Buffer *buffer, u_int len)
> >   {
> > +	u_int newlen;
> >   	void *p;
> >
> >   	if (len > 0x100000)
> > @@ -98,11 +104,13 @@
> >   		goto restart;
> >   	}
> >   	/* Increase the size of the buffer and retry. */
> > -	buffer->alloc += len + 32768;
> > -	if (buffer->alloc > 0xa00000)
> > +
> > +	newlen = buffer->alloc + len + 32768;
> > +	if (newlen > 0xa00000)
> >   		fatal("buffer_append_space: alloc %u not supported",
> > -		    buffer->alloc);
> > -	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
> > +		    newlen);
> > +	buffer->buf = xrealloc(buffer->buf, newlen);
> > +	buffer->alloc = newlen;
> >   	goto restart;
> >   	/* NOTREACHED */
> >   }
> > Index: channels.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/channels.c,v
> > retrieving revision 1.194
> > retrieving revision 1.195
> > diff -u -r1.194 -r1.195
> > --- channels.c	29 Aug 2003 10:04:36 -0000	1.194
> > +++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
> > @@ -228,12 +228,13 @@
> >   	if (found == -1) {
> >   		/* There are no free slots.  Take last+1 slot and expand the array.  */
> >   		found = channels_alloc;
> > -		channels_alloc += 10;
> >   		if (channels_alloc > 10000)
> >   			fatal("channel_new: internal error: channels_alloc %d "
> >   			    "too big.", channels_alloc);
> > +		channels = xrealloc(channels,
> > +		    (channels_alloc + 10) * sizeof(Channel *));
> > +		channels_alloc += 10;
> >   		debug2("channel: expanding %d", channels_alloc);
> > -		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
> >   		for (i = found; i < channels_alloc; i++)
> >   			channels[i] = NULL;
> >   	}
> >
> >
> > ===================================================================
> > Appendix B: patch for OpenSSH 3.7
> >
> > Index: buffer.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
> > retrieving revision 1.17
> > retrieving revision 1.18
> > diff -u -r1.17 -r1.18
> > --- buffer.c	16 Sep 2003 03:03:47 -0000	1.17
> > +++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
> > @@ -23,8 +23,11 @@
> >   void
> >   buffer_init(Buffer *buffer)
> >   {
> > -	buffer->alloc = 4096;
> > -	buffer->buf = xmalloc(buffer->alloc);
> > +	const u_int len = 4096;
> > +
> > +	buffer->alloc = 0;
> > +	buffer->buf = xmalloc(len);
> > +	buffer->alloc = len;
> >   	buffer->offset = 0;
> >   	buffer->end = 0;
> >   }
> > @@ -34,8 +37,10 @@
> >   void
> >   buffer_free(Buffer *buffer)
> >   {
> > -	memset(buffer->buf, 0, buffer->alloc);
> > -	xfree(buffer->buf);
> > +	if (buffer->alloc > 0) {
> > +		memset(buffer->buf, 0, buffer->alloc);
> > +		xfree(buffer->buf);
> > +	}
> >   }
> >
> >   /*
> > Index: channels.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/channels.c,v
> > retrieving revision 1.194
> > retrieving revision 1.195
> > diff -u -r1.194 -r1.195
> > --- channels.c	29 Aug 2003 10:04:36 -0000	1.194
> > +++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
> > @@ -228,12 +228,13 @@
> >   	if (found == -1) {
> >   		/* There are no free slots.  Take last+1 slot and expand the array.  */
> >   		found = channels_alloc;
> > -		channels_alloc += 10;
> >   		if (channels_alloc > 10000)
> >   			fatal("channel_new: internal error: channels_alloc %d "
> >   			    "too big.", channels_alloc);
> > +		channels = xrealloc(channels,
> > +		    (channels_alloc + 10) * sizeof(Channel *));
> > +		channels_alloc += 10;
> >   		debug2("channel: expanding %d", channels_alloc);
> > -		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
> >   		for (i = found; i < channels_alloc; i++)
> >   			channels[i] = NULL;
> >   	}
> >
> > ===================================================================
> >
> >
> >
> >
>
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> [email protected]							    http://3.am
> =========================================================================
>