simon-svn: putty: simon
Commits to Tartarus CVS repository.
tartarus-commits at lists.tartarus.org
Mon Jul 28 18:47:37 BST 2014
SVN root: svn://svn.tartarus.org/sgt
Changes by: simon
Revision: 10211
Date: 2014-07-28 18:47:36 +0100 (Mon, 28 Jul 2014)
Log message (17 lines):
Fix another crash at KEXINIT time, ahem.
This is the same code I previously fixed for failing to check NULL
pointers coming back from ssh_pkt_getstring if the server's KEXINIT
ended early, leading to an embarrassing segfault in place of a fatal
error message. But I've now also had it pointed out to me that the
fatal error message passes the string as %s, which is inappropriate
because (being read straight out of the middle of an SSH packet) it
isn't necessarily zero-terminated!
This is still just an embarrassing segfault in place of a fatal error
message, and not exploitable as far as I can see, because the string
is passed to a dupprintf, which will either read off the end of
allocated address space and segfault non-exploitably, or else it will
find a NUL after all and carefully allocate enough space to format an
error message containing all of the previous junk. But still, how
embarrassing to have messed up the same code _twice_.
Modified files:
U putty/ssh.c
Links:
http://svn.tartarus.org/sgt/?rev=10211&view=rev
http://svn.tartarus.org/sgt/putty/ssh.c?rev=10211&r1=10210&r2=10211
More information about the tartarus-commits
mailing list