Re: [PINE-CERT-20020301] OpenSSH off-by-one

[Attila Nagy <bra () fsn hu>]

Hello,

> Does anyone knows which versions of the commercial SSH (if any) are
> vulnerable?
The diff between the vulnerable version and the good one is:
-       if (id < 0 || id > channels_alloc) {
+       if (id < 0 || id >= channels_alloc) {

The function channel_lookup appeared in channels.c on Tue Mar 28 20:31:25
2000 UTC, 23 months, 1 week ago
in this form:
+       if (id < 0 && id > channels_alloc) {
+               log("channel_lookup: %d: bad id", id);

See
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.40&r2=1.41
for the diff.

Then on Sun Jun 25 20:17:57 2000 UTC, 20 months, 1 week ago the above line
changed:
-       if (id < 0 && id > channels_alloc) {
+       if (id < 0 || id > channels_alloc) {

See
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.62&r2=1.63
for the diff.

In ssh.com's 3.1.0 there is no channels.c, or channels_alloc so I think
this bug does not affect that (or not exactly the same way as in OpenSSH
:).

--------------------------------------------------------------------------
Attila Nagy                                    e-mail:  Attila.Nagy () fsn hu
Budapest Polytechnic (BMF.HU)                   @work: +361 210 1415 (194)
H-1084 Budapest, Tavaszmezo u. 15-17.           cell.: +3630 306 6758