search for: hash_unused

http://bugzilla.mindrot.org/show_bug.cgi?id=775 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2004-12-20 10:59

...prN openssh-4.3p2/deattack.c openssh-4.3p2-kylie/deattack.c --- openssh-4.3p2/deattack.c 2003-09-22 06:04:23.000000000 -0500 +++ openssh-4.3p2-kylie/deattack.c 2006-05-04 15:10:19.000000000 -0500 @@ -137,7 +137,7 @@ detect_attack(u_char *buf, u_int32_t len for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { - if (!CMP(c, IV)) { + if (IV && !CMP(c, IV)) { if (check_crc(c, buf, len, IV)) return (DEATTACK_DETECTED); else

...65536 for large input buffers, is assigned to a 16-bit local variable, effectively causing it to be set to 0. Due to specific malloc(0) behavior, memory allocation routine will be passed, creating buffer of size (malloc_usable_size) 12. Next: for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; We can see n-1 here, and n is equal to 0. Because i is an unsigned 32-bit integer, it would cause integer overflow. This code will be equal to i = HASH(c) & 0xffffffff. Binary AND operator reduces this to i = HASH(c). Pointer 'c' is referencing client-provided cryptographic packet, a...

OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was

This patch is against Cray patch against openssh-SNAP-20010710. Here a few notes about them: 1) rijndael does not work on cray due to the fact it is rooted in 32 bits. I looking for a fix, it may come form Wendy Palam. For now the cray default to the following cihpers for ssh version 2 ssh are: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour 2) Crays don't have setitimer so I

...ary memory locations in the program (ssh server or client) address space, thus allowing an attacker to execute arbitrary code on the vulnerable machine, see lines marked with (*): for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { (*) for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { if (!CMP(c, IV)) { if (check_crc(c, buf, len, IV)) return (DEATTACK_DETECTED); else break; } } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE))...