openssh unix dev - Dec 2014 - CVE-2002-0083 - whats the problem? beginners question

Hi,

I'm not a programmer nor able to fully understand the code of openssh in
detail - hence my question here.

Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to
understand what the actual problem is, but failed:

--- channels_old.c?? ?Mon Mar? 4 02:07:06 2002
+++ channels.c?? ?Mon Mar? 4 02:07:16 2002
@@ -151,7 +151,7 @@
?channel_lookup(int id)
?{
??? ?Channel *c;
-?? ?if (id < 0 || id > channels_alloc) {
+?? ?if (id < 0 || id >= channels_alloc) {
??? ??? ?log("channel_lookup: %d: bad id", id);
??? ??? ?return NULL;
??? ?}


What does that mean? 
If id is less than 0 (are we talking about the unix uid?)
or id greater than channels_alloc - log & return null)

Is this check for detecting users (not root) trying to do something nasty? 

Thank you.

Stefan

On 12/30/2014 01:13 PM, Stefan Bauer wrote:
> I'm not a programmer nor able to fully understand the code of openssh
in detail - hence my question here.
> 
> Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to
understand what the actual problem is, but failed:
> 
> --- channels_old.c    Mon Mar  4 02:07:06 2002
> +++ channels.c    Mon Mar  4 02:07:16 2002
> @@ -151,7 +151,7 @@
>  channel_lookup(int id)
>  {
>      Channel *c;
> -    if (id < 0 || id > channels_alloc) {
> +    if (id < 0 || id >= channels_alloc) {
>          log("channel_lookup: %d: bad id", id);
>          return NULL;
>      }
> 
> 
> What does that mean? 
> If id is less than 0 (are we talking about the unix uid?)
This code is working with the concept of separated channels of traffic
within a single ssh connection.

for more details, see:

  https://tools.ietf.org/html/rfc4254#section-5

The id is the number of the channel being looked up.
> or id greater than channels_alloc - log & return null)
> 
> Is this check for detecting users (not root) trying to do something nasty? 
in C, like many programming languages, arrays are 0-indexed.

This means that if you have 4 channels allocated, they are numbers 0, 1,
2, and 3, but there is no "channel 4".

The patch above ensures that someone calling channel_lookup(4) when 4
channels are allocated will get the appropriate response (an error
response), instead of trying trying to return information about a
channel that doesn't exist.

hth,

	--dkg



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141230/eaa62382/attachment.bin>

On Tue, 2014-12-30 at 13:24 -0500, Daniel Kahn Gillmor
wrote:
> This means that if you have 4 channels allocated, they are numbers 0, 1,
> 2, and 3, but there is no "channel 4".
> 
> The patch above ensures that someone calling channel_lookup(4) when 4
> channels are allocated will get the appropriate response (an error
> response), instead of trying trying to return information about a
> channel that doesn't exist.
Thank you! Now all is clear to me.

Stefan