[PATCH 2/12] bug fix: openssh-4.3p2 NULL dereference
Markus Friedl
markus.r.friedl at arcor.de
Wed May 17 00:15:01 EST 2006
IV is always valid in this case.
however, we removed this code for the next release, since it's not used.
On Mon, May 15, 2006 at 03:18:58PM -0500, Kylene Jo Hall wrote:
> The variable IV does can be NULL when passed into the function. However,
> IV is dereferenced in CMP, therefore, IV should be checked before
> sending it to this macro. This patch adds what is common in other parts
> of the code but is missing on this particular check. This entire set of
> patches passed the regression tests on my system. Null dereference bug
> found by Coverity.
>
> Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
> ---
> deattack.c | 2 +-
> 1 files changed, 1 insertion(+), 1 deletion(-)
>
> diff -uprN openssh-4.3p2/deattack.c openssh-4.3p2-kylie/deattack.c
> --- openssh-4.3p2/deattack.c 2003-09-22 06:04:23.000000000 -0500
> +++ openssh-4.3p2-kylie/deattack.c 2006-05-04 15:10:19.000000000 -0500
> @@ -137,7 +137,7 @@ detect_attack(u_char *buf, u_int32_t len
> for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
> i = (i + 1) & (n - 1)) {
> if (h[i] == HASH_IV) {
> - if (!CMP(c, IV)) {
> + if (IV && !CMP(c, IV)) {
> if (check_crc(c, buf, len, IV))
> return (DEATTACK_DETECTED);
> else
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list