Bugtraq mailing list archives

Re: More ssh fun (sshd this time)

From: ccraig () CC GATECH EDU (Christopher Craig)
Date: Wed, 27 Aug 1997 11:48:35 -0400


Included From: Solar Designer <solar () FALSE COM>:

+   if (port > 65535)
+     packet_disconnect("Requested port is %d is invalid",port);


This still doesn't fix the problem since port is defined as a signed int,
and negative values will pass your check. Of course, their lower 16 bits
may represent a privileged port number.


The lines directly after this in the code are

    if (port < 1024 && !is_root)
      packet_disconnect("Requested forwarding of port %d but user is not root.",

It looks like that should catch negative (as well as privileged)
port numbers, so I don't think the patch really has to fix that
problem at all.

--
Christopher Craig (ccraig () cc gatech edu)
"You could shoot Microsoft Office off the planet and this country would
 run better. You would see everyone standing around saying, 'I've got
 so much time now.' "  Scott McNealy (CEO of Sun)
PGP Key Verification: EE B1 F3 A0 3F BC 3C C7  81 61 F1 91 6E 99 13 65
http://www.cc.gatech.edu/people/home/ccraig

Current thread:

More ssh fun (sshd this time) Ivo van der Wijk (Aug 19)
- Re: More ssh fun (sshd this time) Olaf Titz (Aug 23)
- Sun Security Bulletin #00152 Aleph One (Aug 25)
- Sun Security Bulletin #00153 Aleph One (Aug 25)
- Active X exploit. Peter Shipley (Aug 25)
- Re: More ssh fun (sshd this time) Wietse Venema (Aug 25)
- <Possible follow-ups>
- Re: More ssh fun (sshd this time) Thamer Al-Herbish (Aug 23)
  - Re: More ssh fun (sshd this time) Solar Designer (Aug 27)
  - Re: More ssh fun (sshd this time) Paul H. Hargrove (Aug 27)
- Re: More ssh fun (sshd this time) Christopher Craig (Aug 27)
  - Integer Overflows Solar Designer (Aug 27)