search for: hash_iv

...penssh-4.3p2/deattack.c 2003-09-22 06:04:23.000000000 -0500 +++ openssh-4.3p2-kylie/deattack.c 2006-05-04 15:10:19.000000000 -0500 @@ -137,7 +137,7 @@ detect_attack(u_char *buf, u_int32_t len for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { - if (!CMP(c, IV)) { + if (IV && !CMP(c, IV)) { if (check_crc(c, buf, len, IV)) return (DEATTACK_DETECTED); else

..., IV))) { + if (h) + xfree(h); return (DEATTACK_DETECTED); - else + } else break; } } } + if (h) + xfree(h); return (DEATTACK_OK); } memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); @@ -138,19 +144,25 @@ i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { if (!CMP(c, IV)) { - if (check_crc(c, buf, len, IV)) + if (check_crc(c, buf, len, IV)) { + if (h) + xfree(h); return (DEATTACK_DETECTED); - else + } else break; } } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { - if (check_crc(c, buf, len, I...

..., thus allowing an attacker to execute arbitrary code on the vulnerable machine, see lines marked with (*): for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { (*) for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { if (!CMP(c, IV)) { if (check_crc(c, buf, len, IV)) return (DEATTACK_DETECTED); else break; } } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { if (check_crc(c, buf, len, IV)) return (DEATTACK_...

OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was