On 12/30/2014 01:13 PM, Stefan Bauer wrote: > I'm not a programmer nor able to fully understand the code of openssh in detail - hence my question here. > > Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to understand what the actual problem is, but failed: > > --- channels_old.c Mon Mar 4 02:07:06 2002 > +++ channels.c Mon Mar 4 02:07:16 2002 > @@ -151,7 +151,7 @@ > channel_lookup(int id) > { > Channel *c; > - if (id < 0 || id > channels_alloc) { > + if (id < 0 || id >= channels_alloc) { > log("channel_lookup: %d: bad id", id); > return NULL; > } > > > What does that mean? > If id is less than 0 (are we talking about the unix uid?) This code is working with the concept of separated channels of traffic within a single ssh connection. for more details, see: https://tools.ietf.org/html/rfc4254#section-5 The id is the number of the channel being looked up. > or id greater than channels_alloc - log & return null) > > Is this check for detecting users (not root) trying to do something nasty? in C, like many programming languages, arrays are 0-indexed. This means that if you have 4 channels allocated, they are numbers 0, 1, 2, and 3, but there is no "channel 4". The patch above ensures that someone calling channel_lookup(4) when 4 channels are allocated will get the appropriate response (an error response), instead of trying trying to return information about a channel that doesn't exist. hth, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev