similar to: [PATCH 2/12] bug fix: openssh-4.3p2 NULL dereference

The variable local_user was allocated by xstrdup and is not freed or pointed to in this branch. This patch adds the xfree. This entire set of patches passed the regression tests on my system. Bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- sshconnect.c | 1 + 1 files changed, 1 insertion(+) diff -uprN openssh-4.3p2/sshconnect.c

CORE SDI http://www.core-sdi.com SSH1 CRC-32 compensation attack detector vulnerability Date Published: 2001-02-08 Advisory ID: CORE-20010207 Bugtraq ID: 2347 CVE CAN: CAN-2001-0144 Title: SSH1 CRC-32 compensation attack detector vulnerability Class: Boundary Error Condition Remotely Exploitable: Yes Locally Exploitable: Yes Release Mode:

Index: openssh/deattack.c =================================================================== RCS file: /cvs/openssh/deattack.c,v retrieving revision 1.15 diff -u -r1.15 deattack.c --- openssh/deattack.c 5 Mar 2002 01:53:05 -0000 1.15 +++ openssh/deattack.c 22 Aug 2003 05:34:05 -0000 @@ -112,20 +112,26 @@ if (len <= HASH_MINBLOCKS) { for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {

Remote vulnerability in SSH daemon crc32 compensation attack detector ----------------------------------------------------------------------- Issue date: 8 February 2001 Author: Michal Zalewski <lcamtuf at razor.bindview.com> Contact: Scott Blake <blake at razor.bindview.com> CVE: CAN-2001-0144 Topic: Remotely exploitable vulnerability condition exists in most ssh daemon

Hi All, Did anybody ever had problems created by static h in function detect_attack() in deattack.c? In our system which is based on pSOS OS, this static h is causing a crash, because after closing first ssh session, it pSOS system is allocating same memory to another ssh session and this static h is overwriting that memory. I would appreciate if you know why h is statically allocated.

The get_handle function can return a negative value. The variable that value is assigned to is eventually passed to handle_close which uses the value as an array index thus not being able to handle negative values. This patch adds the return code check and provides an appropriate error exit in the event of a negative return code. This entire set of patches passed the regression tests on my

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh,

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh,

Since the comment variable is used later in the function for other purposes. It is necessary to NULL the variable so it can be differentiated as a new allocation from the previous use remenants (which have already been freed) to avoid using an already freed pointer in the assignment comment = cp ? *cp : comment. When the code path is such that comment has not been reset. This entire set of

The variable cmd is xmalloc'd by buffer_get_string. It is then used in some places but never freed. This patch places the xfree after the last usage and within the confines of all paths. This entire set of patches passed the regression tests on my system. Memory leak bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- clientloop.c | 2 ++ 1 files changed,

The file descriptor f is not closed in this error path. This patch adds the fclose as is customary in the rest of the function. This entire set of patches passed the regression tests on my system. Resource leak bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- hostfile.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletion(-) diff -uprN

If the operation in the function is not allowed memory is leaked in three variables which were xmalloc'ed with buffer_get_string. In the allowed case these variables are pointed to by variables with a greater scope thus the reason this is a condtional leak. This entire set of patches passed the regression tests on my system. Resource leak bugs found by Coverity. Signed-off-by:

There are 2 bugs here. The first is pipe's return code is not checked in this instance and it can return a negative value. The purpose of the call is to make sure 0 and 1 are not assigned to the pin and pout descriptors because those values won't work for later calls. If the pipe call fails the correct behavior cannot be ensured. This patch adds an error case consistent with the rest

cancel_address is allocated in packet_get_string and used in the call to channel_cancel_rport_listener and then it goes out of scope. This patch adds the xfree. This entire set of patches passed the regression tests on my system. Resource leak bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- serverloop.c | 1 + 1 files changed, 1 insertion(+) diff -uprN

There are 2 bugs here. Since mkdir can return an error. The rest of the function's operations depend on this directory being created thus an error should be handled at this point. The second is f is never closed. This patch adds the needed fclose. This entire set of patches passed the regression tests on my system. Bugs found by Coverity. Signed-off-by: Kylene Hall <kjhall at

There are several memory management bugs here. First, the variable tmp is allocated by infer_path. In one path this allocating function is called again on the same variable without freeing the first instance. In another path the variable is just not freed. The fix is to add the xfree before the second call to infer_path and to move the existing xfree to cover both paths (in one case this is on

key is freed outside of the if that checks if key is NULL therefore, NULL could be sent to the key_free function which will not handle it correctly. The fix is to move key_free to a place where you know key is not NULL. This patch moves the key_free call. This entire set of patches passed the regression tests on my system. Bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at