[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some possible issues


On Tuesday 17 November 2009 17:57:57 Bernhard R. Link wrote:
> Looking into the source I found some possible issue you might want to
> take a closer look at:
> 

Hi Bernhard,

> 1)
> messages.c's handle_channel_request does not check if
> ssh_channel_from_local returns NULL. Thus there is no error and the
> code may be calling ssh_message_channel_request_reply_success triggering
> and NULL-pointer derference. I guess with an implementation like
> examplesshd that could be a Denial-of-service attack (though usually
> I guess there would be a fork, so catching a SIGSEV most likely at most
> allows to skip some cleaning up or make some log messages incomplete).

I will look at it later or aris will do it.

> 2)
> channels.c's channel_new does not deallocate stdout_buffer if
> stderr_buffer fails to allocate. (I doubt that memory hole will
> have any real world issues, though).

I've fixed this one. Thanks

> 
> 3)
> channels.c's channel_default_bufferize looks strange. in case of buffer
> errors channel->std{out,err}_buffer is freed but not set to NULL, which
> might cause corrupting memory management (double free or writing to
> free'd memory). I guess it is even thinkable (though I guess not
> with realistic thinking) that this might be exploitable remotly
> to get some code executed in some form.

Are you sure that it is not NULL, we use SAFE_FREE() which is a macro which 
sets a pointer always to NULL after freeing it. I think this needs a closer 
look.


	-- andreas

Attachment: signature.asc
Description: This is a digitally signed message part.


Follow-Ups:
Re: some possible issues"Bernhard R. Link" <brlink@xxxxxxxxxx>
References:
some possible issues"Bernhard R. Link" <brlink@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org