Hi, When ssh accesses a config file that contains a zero byte it'll expose a stack overflow. This can only be seen with valgrind or with compiling ssh with address sanitizer. I'll attach the address sanitizer and valgrind output. Reproduce: dd if=/dev/zero of=zero bs=1 count=1 valgrind -q ssh -F zero x This was found while fuzzing ssh with american fuzzy lop. (Please CC me on replies, I'm not subscribed to the list.) cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@xxxxxxxxx GPG: BBB51E42
Attachment:
ssh-stackoverflow-asan.txt.gz
Description: application/gzip
Attachment:
ssh-stackoverflow-valgrind.txt.gz
Description: application/gzip
Attachment:
pgpOKoAEHehrY.pgp
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev