Integer overflow and security

Tags:

http://www.openssh.org/txt/preauth.adv

See the change:

diff -u -r1.18 auth2-chall.c
— auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18
+++ auth2-chall.c 26 Jun 2002 09:37:03 -0000
@@ -256,6 +256,8 @@

authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
+ if (nresp > 100)
+ fatal(“input_userauth_info_response: nresp too big %u”, nresp);
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++) [/code] nresp * sizeof(char*) was an overflow bug.

Comments

One response to “Integer overflow and security”

  1. […] be aware of subtle overflow here. low + high can be larger than the maximum value of int range. Open ssh vunlerability was also due to subtle […]

Leave a Reply

Your email address will not be published. Required fields are marked *