OpenSSH Security Advisory: buffer.adv

Stephen Smoogen smoogen at lanl.gov
Wed Sep 17 06:31:41 EST 2003 

I would like to thank the OpenBSD and OpenSSH teams on getting these
updates out so quickly and all the work they have done on the IETF lists
recently to see what/why/etc things are headed too. I think they have
really helped in getting the next-gen SSH done.

[Off to order a bunch of CD's or figure out how to do a direct paypal to
help pay for all this work.]


On Tue, 2003-09-16 at 06:32, Markus Friedl wrote:
> This is the 1st revision of the Advisory.
> 
> This document can be found at:  http://www.openssh.com/txt/buffer.adv
> 
> 1. Versions affected:
> 
>         All versions of OpenSSH's sshd prior to 3.7 contain a buffer
>         management error.  It is uncertain whether this error is
>         potentially exploitable, however, we prefer to see bugs
>         fixed proactively.
> 
> 2. Solution:
> 
> 	Upgrade to OpenSSH 3.7 or apply the following patch.
> 
> Appendix:
> 
> Index: buffer.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
> retrieving revision 1.16
> retrieving revision 1.17
> diff -u -r1.16 -r1.17
> --- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
> +++ buffer.c	16 Sep 2003 03:03:47 -0000	1.17
> @@ -69,6 +69,7 @@
>  void *
>  buffer_append_space(Buffer *buffer, u_int len)
>  {
> +	u_int newlen;
>  	void *p;
>  
>  	if (len > 0x100000)
> @@ -98,11 +99,13 @@
>  		goto restart;
>  	}
>  	/* Increase the size of the buffer and retry. */
> -	buffer->alloc += len + 32768;
> -	if (buffer->alloc > 0xa00000)
> +	
> +	newlen = buffer->alloc + len + 32768;
> +	if (newlen > 0xa00000)
>  		fatal("buffer_append_space: alloc %u not supported",
> -		    buffer->alloc);
> -	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
> +		    newlen);
> +	buffer->buf = xrealloc(buffer->buf, newlen);
> +	buffer->alloc = newlen;
>  	goto restart;
>  	/* NOTREACHED */
>  }
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Stephen John Smoogen		smoogen at lanl.gov
Los Alamos National Labrador  CCN-5 Sched 5/40  PH: 4-0645 (note new #)
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --

More information about the openssh-unix-dev mailing list