[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

some possible issues


Looking into the source I found some possible issue you might want to
take a closer look at:

1)
messages.c's handle_channel_request does not check if
ssh_channel_from_local returns NULL. Thus there is no error and the
code may be calling ssh_message_channel_request_reply_success triggering
and NULL-pointer derference. I guess with an implementation like
examplesshd that could be a Denial-of-service attack (though usually
I guess there would be a fork, so catching a SIGSEV most likely at most
allows to skip some cleaning up or make some log messages incomplete).

2)
channels.c's channel_new does not deallocate stdout_buffer if
stderr_buffer fails to allocate. (I doubt that memory hole will
have any real world issues, though).

3)
channels.c's channel_default_bufferize looks strange. in case of buffer
errors channel->std{out,err}_buffer is freed but not set to NULL, which
might cause corrupting memory management (double free or writing to
free'd memory). I guess it is even thinkable (though I guess not
with realistic thinking) that this might be exploitable remotly
to get some code executed in some form.

Hochachtungsvoll,
	Bernhard R. Link

Follow-Ups:
Re: some possible issuesAndreas Schneider <mail@xxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org