From: Matthew Dillon <dillon@dragonflybsd.org>
Date: Tue, 16 Sep 2003 16:59:41 +0000 (+0000)
Subject: Additional comments: ssh may attempt to zero and free the buffer from
X-Git-Tag: v2.0.1~12937
X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/761d30f1a656218ff48fad6f8c0356a2b877c901

Additional comments: ssh may attempt to zero and free the buffer from
fatal().  The incorrect buffer size at the time fatal() is called will
cause it to zero an area larger then has actually been allocated.  Since
meta-data is not inline with the allocation on FreeBSD (and hence DragonFly)
systems it is believed that the worst that can happen is a crash.  On linux
systems, however, it may be possible to exploit the flaw to gain elevated
privs.
---

diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
index 1cdfc0b65c..97ce19d9c3 100644
--- a/crypto/openssh/buffer.c
+++ b/crypto/openssh/buffer.c
@@ -10,7 +10,7 @@
  * incompatible with the protocol description in the RFC file, it must be
  * called by a name other than "ssh" or "Secure Shell".
  *
- * $DragonFly: src/crypto/openssh/Attic/buffer.c,v 1.2 2003/09/16 16:12:00 drhodus Exp $
+ * $DragonFly: src/crypto/openssh/Attic/buffer.c,v 1.3 2003/09/16 16:59:41 dillon Exp $
  */
 
 #include "includes.h"