[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: some possible issues
[Thread Prev] | [Thread Next]
- Subject: Re: some possible issues
- From: Andreas Schneider <mail@xxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 18 Nov 2009 10:35:06 +0100
- To: libssh@xxxxxxxxxx
On Tuesday 17 November 2009 17:57:57 Bernhard R. Link wrote:
> Looking into the source I found some possible issue you might want to
> take a closer look at:
>
Hi Bernhard,
> 1)
> messages.c's handle_channel_request does not check if
> ssh_channel_from_local returns NULL. Thus there is no error and the
> code may be calling ssh_message_channel_request_reply_success triggering
> and NULL-pointer derference. I guess with an implementation like
> examplesshd that could be a Denial-of-service attack (though usually
> I guess there would be a fork, so catching a SIGSEV most likely at most
> allows to skip some cleaning up or make some log messages incomplete).
I will look at it later or aris will do it.
> 2)
> channels.c's channel_new does not deallocate stdout_buffer if
> stderr_buffer fails to allocate. (I doubt that memory hole will
> have any real world issues, though).
I've fixed this one. Thanks
>
> 3)
> channels.c's channel_default_bufferize looks strange. in case of buffer
> errors channel->std{out,err}_buffer is freed but not set to NULL, which
> might cause corrupting memory management (double free or writing to
> free'd memory). I guess it is even thinkable (though I guess not
> with realistic thinking) that this might be exploitable remotly
> to get some code executed in some form.
Are you sure that it is not NULL, we use SAFE_FREE() which is a macro which
sets a pointer always to NULL after freeing it. I think this needs a closer
look.
-- andreas
Attachment:
signature.asc
Description: This is a digitally signed message part.
| Re: some possible issues | "Bernhard R. Link" <brlink@xxxxxxxxxx> |
| some possible issues | "Bernhard R. Link" <brlink@xxxxxxxxxx> |