CVE-2002-0083 - whats the problem? beginners question
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Dec 31 05:24:40 EST 2014
On 12/30/2014 01:13 PM, Stefan Bauer wrote:
> I'm not a programmer nor able to fully understand the code of openssh in detail - hence my question here.
>
> Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to understand what the actual problem is, but failed:
>
> --- channels_old.c Mon Mar 4 02:07:06 2002
> +++ channels.c Mon Mar 4 02:07:16 2002
> @@ -151,7 +151,7 @@
> channel_lookup(int id)
> {
> Channel *c;
> - if (id < 0 || id > channels_alloc) {
> + if (id < 0 || id >= channels_alloc) {
> log("channel_lookup: %d: bad id", id);
> return NULL;
> }
>
>
> What does that mean?
> If id is less than 0 (are we talking about the unix uid?)
This code is working with the concept of separated channels of traffic
within a single ssh connection.
for more details, see:
https://tools.ietf.org/html/rfc4254#section-5
The id is the number of the channel being looked up.
> or id greater than channels_alloc - log & return null)
>
> Is this check for detecting users (not root) trying to do something nasty?
in C, like many programming languages, arrays are 0-indexed.
This means that if you have 4 channels allocated, they are numbers 0, 1,
2, and 3, but there is no "channel 4".
The patch above ensures that someone calling channel_lookup(4) when 4
channels are allocated will get the appropriate response (an error
response), instead of trying trying to return information about a
channel that doesn't exist.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141230/eaa62382/attachment.bin>
More information about the openssh-unix-dev
mailing list