overflow in buffer_put_bignum2

Mikulas Patocka mikulas at artax.karlin.mff.cuni.cz
Sun Feb 22 10:02:45 EST 2004

Previous message: a story of compromise and an idea
Next message: Key exchange
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

When buffer_put_bugnum2 is called with zero bignum, it touches unallocated
memory:

BN_num_bytes returns 0, one byte is allocated and
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
touches array out of bounds.

Mikulas

Previous message: a story of compromise and an idea
Next message: Key exchange
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the openssh-unix-dev mailing list