[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
some possible issues
[Thread Prev] | [Thread Next]
- Subject: some possible issues
- From: "Bernhard R. Link" <brlink@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Tue, 17 Nov 2009 17:57:57 +0100
- To: libssh@xxxxxxxxxx
Looking into the source I found some possible issue you might want to
take a closer look at:
1)
messages.c's handle_channel_request does not check if
ssh_channel_from_local returns NULL. Thus there is no error and the
code may be calling ssh_message_channel_request_reply_success triggering
and NULL-pointer derference. I guess with an implementation like
examplesshd that could be a Denial-of-service attack (though usually
I guess there would be a fork, so catching a SIGSEV most likely at most
allows to skip some cleaning up or make some log messages incomplete).
2)
channels.c's channel_new does not deallocate stdout_buffer if
stderr_buffer fails to allocate. (I doubt that memory hole will
have any real world issues, though).
3)
channels.c's channel_default_bufferize looks strange. in case of buffer
errors channel->std{out,err}_buffer is freed but not set to NULL, which
might cause corrupting memory management (double free or writing to
free'd memory). I guess it is even thinkable (though I guess not
with realistic thinking) that this might be exploitable remotly
to get some code executed in some form.
Hochachtungsvoll,
Bernhard R. Link
| Re: some possible issues | Andreas Schneider <mail@xxxxxxxxxxxx> |