[Bug 3250] New: Integer overflow in ConnectTimeout
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Jan 10 20:04:05 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3250
Bug ID: 3250
Summary: Integer overflow in ConnectTimeout
Product: Portable OpenSSH
Version: 8.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: berardi.dav at gmail.com
Created attachment 3465
--> https://bugzilla.mindrot.org/attachment.cgi?id=3465&action=edit
Proposed Patch
Setting a high value for ConnectionTimeout option will make it
negative. This will result in an integer overflow undetected by the
previous checks.
PoC: (ArchLinux GNU/Linux)
$ uname -a
Linux haigha 5.10.5-arch1-1 #1 SMP PREEMPT Thu, 07 Jan 2021 09:50:43
+0000 x86_64 GNU/Linux
$ gcc --version
gcc (GCC) 10.2.0
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
$ clang --version
clang version 11.0.0
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
$ ./ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020
$ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost
[1] 26360 abort (core dumped) ./ssh -o ConnectTimeout=$((
0x80000000 )) localhost
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list