polachok's projects / dragonfly.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 10a4d47) | patch
Additional comments: ssh may attempt to zero and free the buffer from
authorMatthew Dillon <dillon@dragonflybsd.org>
Tue, 16 Sep 2003 16:59:41 +0000 (16:59 +0000)
committerMatthew Dillon <dillon@dragonflybsd.org>
Tue, 16 Sep 2003 16:59:41 +0000 (16:59 +0000)
commit761d30f1a656218ff48fad6f8c0356a2b877c901
treeba42a473d50662c13614fc68ca9aa43dcd95c97btree | snapshot
parent10a4d47e52c899a6f589f523a04e0dc9f2e3007acommit | diff
Additional comments: ssh may attempt to zero and free the buffer from
fatal().  The incorrect buffer size at the time fatal() is called will
cause it to zero an area larger then has actually been allocated.  Since
meta-data is not inline with the allocation on FreeBSD (and hence DragonFly)
systems it is believed that the worst that can happen is a crash.  On linux
systems, however, it may be possible to exploit the flaw to gain elevated
privs.
crypto/openssh/buffer.c diff | blob | blame | history
polachok's DragonFly repo