overflow in buffer_put_bignum2

Mikulas Patocka mikulas at artax.karlin.mff.cuni.cz
Sun Feb 22 10:02:45 EST 2004


Hi

When buffer_put_bugnum2 is called with zero bignum, it touches unallocated
memory:

BN_num_bytes returns 0, one byte is allocated and
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
touches array out of bounds.

Mikulas




More information about the openssh-unix-dev mailing list