search for: nalloc

This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH

during my seminar of advanced exploitation techniques (SEAT, [1]) i developed some methods to crack into system via DMA (e.g. via firewire). as part of this i developed a program that steals loaded ssh private keys from ssh-agents. i was astonished to find that the keys are not immediately removed from the agent when a timeout occurs, but only the next time the agent is queried via its socket. i

...====================================== RCS file: /cvs/openssh/serverloop.c,v retrieving revision 1.172 diff -u -p -r1.172 serverloop.c --- serverloop.c 2 Dec 2012 22:50:55 -0000 1.172 +++ serverloop.c 4 Dec 2012 11:46:33 -0000 @@ -708,7 +708,7 @@ server_loop(pid_t pid, int fdin_arg, int &nalloc, max_time_milliseconds); if (received_sigterm) { - logit("Exiting on signal %d", received_sigterm); + logit("Exiting on signal %d", (int)received_sigterm); /* Clean up sessions, utmp, etc. */ cleanup_exit(255); } @@ -858,7 +858,7 @@ server_loop2(Authctxt *auth...

I'm reading this fine article on O'Reilly: http://linux.oreillynet.com/lpt/a//linux/2001/11/08/ssh_keystroke.html <quote> The paper concludes that the keystroke timing data observable from today's SSH implementations reveals a dangerously significant amount of information about user terminal sessions--enough to locate typed passwords in the session data stream and reduce the

...). */ - -static void +/* + * SD Mod: We changed the return value of client_wait_until_can_do_something + * from void to int. It now returns 1 if the steno_timer has expired and 0 if not. + */ +int client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int *nallocp, int rekeying) { + /* SD Mod: added variable steno_timer */ + static struct timeval steno_timer = {0, 50000}; + + int return_val = 0; + long int prev_timer_val = 0; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writ...

Hello, In response to the timing analysis attacks presented by Dawn Song et. al. in her paper http://paris.cs.berkeley.edu/~dawnsong/ssh-timing.html we at Silicon Defense developed a patch for openssh to avoid such measures. Timing Analysis Evasion changes were developed by C. Jason Coit and Roel Jonkman of Silicon Defense. These changes cause SSH to send packets unless request not to,

...enssh/misc.c Wed Feb 6 13:15:55 2002 @@ -30,6 +30,7 @@ #include "misc.h" #include "log.h" #include "xmalloc.h" +#include "atomicio.h" /* remove newline at end of string */ char * @@ -304,6 +305,139 @@ args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; +} + +/* scp/sftp progression meter (from src/usr.bin/ftp/util.c) */ +static int +foregroundproc(void) +{ + static pid_t pgrp = -1; + int ctty_pgrp; + + if (pgrp == -1) + pgrp = getpgrp(); + +...

Hi OpenSSH developers, I am using openSSH (now 2.9.9p2, but prob occurs in 2.9p2 also) to execute commands on a remote machine which outputs data to stdout then pipes it to another invocation of ssh which connects back to the first machine in the same way, where it starts a program to read and store the output from the command on the second machine. I am using the "command" option in

...rekeying = (xxx_kex != NULL && !xxx_kex->done); if (!rekeying && packet_not_very_much_data_to_write()) channel_output_poll(); wait_until_can_do_something(&readset, &writeset, &max_fd, &nalloc, 0); [ ...] and it hangs in the select() call in wait_until_can_do_something(). question: why is the wait time set to 0 (= wait forever) ? server_loop() (the interactive function) does not set it to 0. if the child exits without the parent noting it then we hung forever which is bad. i tried...

...* Implements the interactive session with the server. This is called after * the user has been authenticated, and a command has been started on the @@ -778,7 +803,7 @@ fd_set *readset = NULL, *writeset = NULL; double start_time, total_time; int max_fd = 0, max_fd2 = 0, len, rekeying = 0, nalloc = 0; - char buf[100]; + char *signame, buf[100]; debug("Entering interactive session."); @@ -819,6 +844,10 @@ client_init_dispatch(); + /* for protocol v2 we try to send the signal to the remote host */ + if (compat20 && !have_pty && ssh2_chan_id != -1) + send...

Three patches attached. One implements a 'ControlPersist' option, which when used with 'ControlMaster auto' or 'ControlMaster 'yes' make makes the master background itself and stick around after its own primary session is completed. The second causes control clients to pass X11 display, auth proto and auth data over the control socket so that appropriate X11

https://bugzilla.mindrot.org/show_bug.cgi?id=1967 Bug #: 1967 Summary: Potential memory leak Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at

...to increase.\n", MAX_THREADS); + usage(); + } +#else + fprintf(stderr, "Threading support not compiled in. \"-p numthreads\" not supported.\n"); + usage(); +#endif + break; default: usage(); } @@ -1355,6 +1675,27 @@ signal(SIGTERM, cleanup_handler); nalloc = 0; +#ifdef HAVE_LIBPTHREAD + if (numthreads == -1) { +#ifdef HAVE___SC_NPROCESSORS_CONF + numthreads = sysconf(_SC_NPROCESSORS_CONF); + if (numthreads == -1) { + error("sysconf(_SC_NPROCESSORS_CONF): %s", strerror(errno)); + error("Defaults to single-thread mode."); +...

...* Implements the interactive session with the server. This is called after * the user has been authenticated, and a command has been started on the @@ -778,7 +803,7 @@ fd_set *readset = NULL, *writeset = NULL; double start_time, total_time; int max_fd = 0, max_fd2 = 0, len, rekeying = 0, nalloc = 0; - char buf[100]; + char *signame, buf[100]; debug("Entering interactive session."); @@ -819,6 +844,10 @@ client_init_dispatch(); + /* for protocol v2 we try to send the signal to the remote host */ + if (compat20 && !have_pty && ssh2_chan_id != -1) + send...

...- bzero(grp, sizeof(*grp)); + memset(grp, 0, sizeof(*grp)); xfree(grp); } -------------- next part -------------- --- session.c.orig 2012-12-19 17:29:24.289506673 -0800 +++ session.c 2012-12-19 17:29:50.967542588 -0800 @@ -1840,7 +1840,7 @@ fatal("%s: insane session id %d (max %d nalloc %d)", __func__, id, options.max_sessions, sessions_nalloc); } - bzero(&sessions[id], sizeof(*sessions)); + memset(&sessions[id], 0, sizeof(*sessions)); sessions[id].self = id; sessions[id].used = 0; sessions[id].chanid = -1; -------------- next part --------------...

...0); +} Index: misc.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/misc.h,v retrieving revision 1.11 diff -u -r1.11 misc.h --- misc.h 2002/01/24 21:09:25 1.11 +++ misc.h 2002/01/29 23:16:28 @@ -30,4 +30,9 @@ int num; int nalloc; }; + void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void progressmeter(int flag, off_t statbytes, off_t totalbytes, char *curfile); + +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ + Index: scp.c ====================================...

...0); +} Index: misc.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/misc.h,v retrieving revision 1.11 diff -u -r1.11 misc.h --- misc.h 2002/01/24 21:09:25 1.11 +++ misc.h 2002/02/02 21:47:40 @@ -30,4 +30,8 @@ int num; int nalloc; }; + void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void progressmeter(off_t statbytes, off_t totalbytes, char *curfile); + +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ Index: scp.c ================================================...

Hello, ? I need to make many (>50) ssh connections from linux to cygwin at the same time. Using Windows 2000 Server (OpenSSH_4.3p2, OpenSSL 0.9.8b and updated cygwin) and Linux RHEL4 (OpenSSH_3.9p1, OpenSSL 0.9.7a). ? It's been difficult to optimize many simultaneous connections. Here were some issues: 1.?????? On Windows XP/Professional, Microsoft intentionally cripples the TCP/IP stack.

...laced the bzero() call with the equivalent memset() call. The patch file is below in (diff -u) format: --- session.c.orig 2012-12-19 17:29:24.289506673 -0800 +++ session.c 2012-12-19 17:29:50.967542588 -0800 @@ -1840,7 +1840,7 @@ fatal("%s: insane session id %d (max %d nalloc %d)", __func__, id, options.max_sessions, sessions_nalloc); } - bzero(&sessions[id], sizeof(*sessions)); + memset(&sessions[id], 0, sizeof(*sessions)); sessions[id].self = id; sessions[id].used = 0; sessions[id].chanid =...

...hu May 9 12:18:34 2002 +++ openssh-3.1p1-mods/serverloop.c Thu May 9 12:20:03 2002 @@ -734,12 +734,13 @@ } void - -server_loop2(Authctxt *authctxt) +server_loop2(Authctxt *authctxt, const char *realname) { fd_set *readset = NULL, *writeset = NULL; int rekeying = 0, max_fd, nalloc = 0; debug("Entering interactive session for SSH2."); + debug("VIX realname is %s ", realname); mysignal(SIGCHLD, sigchld_handler); child_terminated = 0; @@ -996,10 +997,20 @@ } static void server_input_channel_req(int type, u_int32_t seq, void...