[alambert@quickfire.org: Heads up -- potential problems in 3.7, too? [Fwd: OpenSSH Security Advisory: buffer.adv]]

Haesu haesu at towardex.com
Tue Sep 16 17:57:47 PDT 2003 

Is anybody aware of this?

-hc

----- Forwarded message from Alex Lambert <alambert at quickfire.org> -----

3.7.1 was just released.

Two patches for similar issues in a very short timeframe. Who do they 
think they are -- Microsoft? <grin>




apl

-------- Original Message --------
Subject: OpenSSH Security Advisory: buffer.adv
Date: Wed, 17 Sep 2003 01:13:30 +0200
From: Markus Friedl <markus at openbsd.org>
To: misc at openbsd.org

This is the 2nd revision of the Advisory.

This document can be found at:  http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
        management errors.  It is uncertain whether these errors are
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

        Other implementations sharing common origin may also have
        these issues.

2. Solution:

	Upgrade to OpenSSH 3.7.1 or apply the following patch.

===================================================================
Appendix A: patch for OpenSSH 3.6.1 and earlier

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
+++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
@@ -23,8 +23,11 @@
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }

 /*
@@ -69,6 +74,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+	u_int newlen;
 	void *p;

 	if (len > 0x100000)
@@ -98,11 +104,13 @@
 		goto restart;
 	}
 	/* Increase the size of the buffer and retry. */
-	buffer->alloc += len + 32768;
-	if (buffer->alloc > 0xa00000)
+	
+	newlen = buffer->alloc + len + 32768;
+	if (newlen > 0xa00000)
 		fatal("buffer_append_space: alloc %u not supported",
-		    buffer->alloc);
-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+		    newlen);
+	buffer->buf = xrealloc(buffer->buf, newlen);
+	buffer->alloc = newlen;
 	goto restart;
 	/* NOTREACHED */
 }
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
+++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
@@ -228,12 +228,13 @@
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the 
 		array.  */
 		found = channels_alloc;
-		channels_alloc += 10;
 		if (channels_alloc > 10000)
 			fatal("channel_new: internal error: channels_alloc 
 			%d "
 			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel *));
+		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * 
sizeof(Channel *));
 		for (i = found; i < channels_alloc; i++)
 			channels[i] = NULL;
 	}


===================================================================
Appendix B: patch for OpenSSH 3.7

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- buffer.c	16 Sep 2003 03:03:47 -0000	1.17
+++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
@@ -23,8 +23,11 @@
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }

 /*
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
+++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
@@ -228,12 +228,13 @@
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the 
 		array.  */
 		found = channels_alloc;
-		channels_alloc += 10;
 		if (channels_alloc > 10000)
 			fatal("channel_new: internal error: channels_alloc 
 			%d "
 			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel *));
+		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * 
sizeof(Channel *));
 		for (i = found; i < channels_alloc; i++)
 			channels[i] = NULL;
 	}

===================================================================



----- End forwarded message -----

-- 
Sincerely,
  Haesu C.
  TowardEX Technologies, Inc.
  WWW: http://www.towardex.com
  E-mail: haesu at towardex.com
  Cell: (978) 394-2867

More information about the freebsd-security mailing list