Bug#130589: marked as done (ssh: ssh-keyscan sometimes fails with "xmalloc: out of memory" message)

To: Colin Watson <cjwatson@debian.org>
Cc: Matthew Vernon <matthew@debian.org>
Subject: Bug#130589: marked as done (ssh: ssh-keyscan sometimes fails with "xmalloc: out of memory" message)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 12 Sep 2003 18:48:09 -0500
Message-id: <[🔎] handler.130589.D130589.1063409805991.ackdone@bugs.debian.org>
In-reply-to: <20030912233626.GA4610@riva.ucam.org>
References: <20030912233626.GA4610@riva.ucam.org> <E16TVhY-0003fr-00@here>

Your message dated Sat, 13 Sep 2003 00:36:26 +0100
with message-id <20030912233626.GA4610@riva.ucam.org>
and subject line ssh: ssh-keyscan sometimes fails with "xmalloc: out of memory" message
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Jan 2002 22:17:36 +0000
>From lyosha@starfish.com Wed Jan 23 16:17:36 2002
Return-path: <lyosha@starfish.com>
Received: from (here) [66.120.209.80] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16TVi4-0007gv-00; Wed, 23 Jan 2002 16:17:36 -0600
Received: by here with local
	id 16TVhY-0003fr-00; Wed, 23 Jan 2002 14:17:04 -0800
From: Alexey Marinichev <lyosha@starfish.com>
Subject: ssh: ssh-keyscan sometimes fails with "xmalloc: out of memory" message
To: submit@bugs.debian.org
X-Mailer: bug 3.3.10
Message-Id: <E16TVhY-0003fr-00@here>
Date: Wed, 23 Jan 2002 14:17:04 -0800
Delivered-To: submit@bugs.debian.org

Package: ssh
Version: 1:3.0.1p1-1.2
Severity: important

The reason it is failing is that in conread() function no sanity checking is
done before xmalloc is called.

Patch similar to this should help:

--- ssh-keyscan.c.orig  Wed Jan 23 14:14:33 2002
+++ ssh-keyscan.c       Wed Jan 23 14:14:17 2002
@@ -573,6 +573,10 @@
                        c->c_plen = htonl(c->c_plen);
                        c->c_len = c->c_plen + 8 - (c->c_plen & 7);
                        c->c_off = 0;
+                       if (c->c_len > 100000) {
+                               confree(s);
+                               return;
+                       }
                        c->c_data = xmalloc(c->c_len);
                        c->c_status = CS_KEYS;
                        break;

Thanks,

Alexey




-- System Information
Debian Release: woody
Kernel Version: Linux m2 2.4.16 #1 Thu Nov 29 11:23:07 PST 2001 i686 unknown

Versions of the packages ssh depends on:
ii  debconf        1.0.00         Debian configuration management system
ii  libc6          2.2.4-7        GNU C Library: Shared libraries and Timezone
ii  libpam-modules 0.72-12        Pluggable Authentication Modules for PAM
ii  libpam0g       0.72-12        Pluggable Authentication Modules library
ii  libssl0.9.6    0.9.6c-1       SSL shared libraries
ii  libwrap0       7.6-5          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.3-19       compression library - runtime

---------------------------------------
Received: (at 130589-done) by bugs.debian.org; 12 Sep 2003 23:36:45 +0000
>From cjwatson@flatline.org.uk Fri Sep 12 18:36:30 2003
Return-path: <cjwatson@flatline.org.uk>
Received: from zinc.btinternet.com [194.73.73.148] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19xxSn-0000FS-00; Fri, 12 Sep 2003 18:36:29 -0500
Received: from host81-129-36-235.in-addr.btopenworld.com ([81.129.36.235] helo=riva.lab.dotat.at)
	by zinc.btinternet.com with esmtp (Exim 3.22 #23)
	id 19xxSm-0007di-00; Sat, 13 Sep 2003 00:36:28 +0100
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
	id 19xxSk-0001DR-00; Sat, 13 Sep 2003 00:36:26 +0100
Date: Sat, 13 Sep 2003 00:36:26 +0100
From: Colin Watson <cjwatson@debian.org>
To: 130589-done@bugs.debian.org
Cc: Matthew Palmer <mjp16@ieee.uow.edu.au>
Subject: Re: ssh: ssh-keyscan sometimes fails with "xmalloc: out of memory" message
Message-ID: <20030912233626.GA4610@riva.ucam.org>
References: <E16TVhY-0003fr-00@here>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E16TVhY-0003fr-00@here>
User-Agent: Mutt/1.3.28i
Delivered-To: 130589-done@bugs.debian.org
X-Spam-Status: No, hits=-4.7 required=4.0
	tests=BAYES_60,EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT
	version=2.53-bugs.debian.org_2003_8_27
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_8_27 (1.174.2.15-2003-03-30-exp)

On Wed, Jan 23, 2002 at 02:17:04PM -0800, Alexey Marinichev wrote:
> Package: ssh
> Version: 1:3.0.1p1-1.2
> Severity: important
> 
> The reason it is failing is that in conread() function no sanity
> checking is done before xmalloc is called.

As discussed later in this bug report, the incorrect packet length was
due to reading garbage following a failure to check that the remote host
supports SSH protocol 1. This bug was fixed upstream in OpenSSH 3.1p1.

Thanks to Matthew Palmer for diagnosis.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Prev by Date: Bug#162457: marked as done (ssh: not reading netgroups)
Next by Date: Processed: tagging 150976
Previous by thread: Bug#162457: marked as done (ssh: not reading netgroups)
Next by thread: Processed: tagging 150976
Index(es):
- Date
- Thread