[PLUTO-security] [Fwd: OpenSSH Buffer Management Bug Advisory]

Mer 17 Set 2003 18:50:47 CEST

-----Forwarded Message-----

>  
> Subject: OpenSSH Security Advisory: buffer.adv
> 
> This is the 1st revision of the Advisory.
> 
> This document can be found at:  http://www.openssh.com/txt/buffer.adv
> 
> 1. Versions affected:
> 
>         All versions of OpenSSH's sshd prior to 3.7 contain a buffer
>         management error.  It is uncertain whether this error is
>         potentially exploitable, however, we prefer to see bugs
>         fixed proactively.
> 
> 2. Solution:
> 
> 	Upgrade to OpenSSH 3.7 or apply the following patch.
> 
> Appendix:
> 
> Index: buffer.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
> retrieving revision 1.16
> retrieving revision 1.17
> diff -u -r1.16 -r1.17
> --- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
> +++ buffer.c	16 Sep 2003 03:03:47 -0000	1.17
> @@ -69,6 +69,7 @@
>  void *
>  buffer_append_space(Buffer *buffer, u_int len)
>  {
> +	u_int newlen;
>  	void *p;
> 
>  	if (len > 0x100000)
> @@ -98,11 +99,13 @@
>  		goto restart;
>  	}
>  	/* Increase the size of the buffer and retry. */
> -	buffer->alloc += len + 32768;
> -	if (buffer->alloc > 0xa00000)
> +
> +	newlen = buffer->alloc + len + 32768;
> +	if (newlen > 0xa00000)
>  		fatal("buffer_append_space: alloc %u not supported",
> -		    buffer->alloc);
> -	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
> +		    newlen);
> +	buffer->buf = xrealloc(buffer->buf, newlen);
> +	buffer->alloc = newlen;
>  	goto restart;
>  	/* NOTREACHED */
>  }
> 
> 
> David Mirza Ahmad
> Symantec
> 
> PGP: 0x26005712
> 8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
> --
> The battle for the past is for the future.
> We must be the winners of the memory war.