Re: CVE-2002-0083 - whats the problem? beginners question

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 12/30/2014 01:13 PM, Stefan Bauer wrote:
> I'm not a programmer nor able to fully understand the code of openssh in detail - hence my question here.
> 
> Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to understand what the actual problem is, but failed:
> 
> --- channels_old.c    Mon Mar  4 02:07:06 2002
> +++ channels.c    Mon Mar  4 02:07:16 2002
> @@ -151,7 +151,7 @@
>  channel_lookup(int id)
>  {
>      Channel *c;
> -    if (id < 0 || id > channels_alloc) {
> +    if (id < 0 || id >= channels_alloc) {
>          log("channel_lookup: %d: bad id", id);
>          return NULL;
>      }
> 
> 
> What does that mean? 
> If id is less than 0 (are we talking about the unix uid?)

This code is working with the concept of separated channels of traffic
within a single ssh connection.

for more details, see:

  https://tools.ietf.org/html/rfc4254#section-5

The id is the number of the channel being looked up.

> or id greater than channels_alloc - log & return null)
> 
> Is this check for detecting users (not root) trying to do something nasty? 

in C, like many programming languages, arrays are 0-indexed.

This means that if you have 4 channels allocated, they are numbers 0, 1,
2, and 3, but there is no "channel 4".

The patch above ensures that someone calling channel_lookup(4) when 4
channels are allocated will get the appropriate response (an error
response), instead of trying trying to return information about a
channel that doesn't exist.

hth,

	--dkg



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux