[Bug 3250] New: Integer overflow in ConnectTimeout

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Jan 10 20:04:05 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3250

            Bug ID: 3250
           Summary: Integer overflow in ConnectTimeout
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: berardi.dav at gmail.com

Created attachment 3465
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3465&action=edit
Proposed Patch

Setting a high value for ConnectionTimeout option will make it
negative.  This will result in an integer overflow undetected by the
previous checks.

PoC: (ArchLinux GNU/Linux)
$ uname -a
Linux haigha 5.10.5-arch1-1 #1 SMP PREEMPT Thu, 07 Jan 2021 09:50:43
+0000 x86_64 GNU/Linux

$ gcc --version
gcc (GCC) 10.2.0
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

$ clang --version
clang version 11.0.0
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
$ ./ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
$ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost
[1]    26360 abort (core dumped)  ./ssh -o ConnectTimeout=$((
0x80000000 )) localhost

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list