[PATCH 2/12] bug fix: openssh-4.3p2 NULL dereference

Markus Friedl markus.r.friedl at arcor.de
Wed May 17 00:15:01 EST 2006


IV is always valid in this case.

however, we removed this code for the next release, since it's not used.

On Mon, May 15, 2006 at 03:18:58PM -0500, Kylene Jo Hall wrote:
> The variable IV does can be NULL when passed into the function. However,
> IV is dereferenced in CMP, therefore, IV should be checked before
> sending it to this macro.  This patch adds what is common in other parts
> of the code but is missing on this particular check.  This entire set of
> patches passed the regression tests on my system.  Null dereference bug
> found by Coverity.
> 
> Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
> ---
> deattack.c |    2 +-
> 1 files changed, 1 insertion(+), 1 deletion(-)
> 
> diff -uprN openssh-4.3p2/deattack.c openssh-4.3p2-kylie/deattack.c
> --- openssh-4.3p2/deattack.c	2003-09-22 06:04:23.000000000 -0500
> +++ openssh-4.3p2-kylie/deattack.c	2006-05-04 15:10:19.000000000 -0500
> @@ -137,7 +137,7 @@ detect_attack(u_char *buf, u_int32_t len
>  		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
>  		    i = (i + 1) & (n - 1)) {
>  			if (h[i] == HASH_IV) {
> -				if (!CMP(c, IV)) {
> +				if (IV && !CMP(c, IV)) {
>  					if (check_crc(c, buf, len, IV))
>  						return (DEATTACK_DETECTED);
>  					else
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev




More information about the openssh-unix-dev mailing list