bugzilla-daemon at mindrot.org
2024-Sep-11 11:01 UTC
[Bug 3730] New: Integer overflow when adding 6000 and display_number
https://bugzilla.mindrot.org/show_bug.cgi?id=3730 Bug ID: 3730 Summary: Integer overflow when adding 6000 and display_number Product: Portable OpenSSH Version: 9.8p1 Hardware: Other OS: All Status: NEW Severity: minor Priority: P5 Component: Build system Assignee: unassigned-bugs at mindrot.org Reporter: suhov.ra at npc-ksb.ru File: https://github.com/openssh/openssh-portable/blob/master/channels.c Line: 5239 There is virtually no chance of integer overflow when adding 6000 to display_number. The display_number variable is read from a string containing the value of the DISPLAY environment variable, which typically points to an X server on the system. The variable is of type unsigned int, which limits its range of values ??to 0 to UINT_MAX. In theory, for overflow to occur, display_number must be large enough that the sum exceeds the maximum value for unsigned int. The following check can be added to rule out the possibility of integer overflow: if (display_number > UINT_MAX - 6000) { error("display_number too large, possible integer overflow."); return -1; } -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Sep-11 11:35 UTC
[Bug 3730] Integer overflow when adding 6000 and display_number
https://bugzilla.mindrot.org/show_bug.cgi?id=3730 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> ---> The display_number variable is read from a string containing the > value of the DISPLAY environment variableThat is not correct. This code is used to *set* the DISPLAY environment variable. The starting value comes from the sshd_config X11DisplayOffset configuration option. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Sep-11 11:36 UTC
[Bug 3730] Integer overflow when adding 6000 and display_number
https://bugzilla.mindrot.org/show_bug.cgi?id=3730 --- Comment #2 from Damien Miller <djm at mindrot.org> --- *** Bug 3731 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 3731] New: Integer overflow when adding 6000 and display_number
- [Bug 3732] New: An integer underflow may occur due to arithmetic operation (unsigned subtraction) between values '0' and '67108864', where the first value comes from the expression 'h4 + b' and the second value comes from the expression '(1 << 26)'
- [Bug 3734] New: Expression 'l > SIZE_MAX' is always false
- [Bug 3735] New: The ngroups variable may be set to a negative value when calling sysconf(_SC_NGROUPS_MAX)
- MaxDisplays configuration option