Project

General

Profile

Bug #2883

ssh: heap buffer overflow

Added by Victor Julien 9 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

### Bugreport SSHParseBanner (app-layer-ssh.c)
There is an integer and as a result a heap buffer overflow at line 99.
## Input
If *input of the function *SSHParseBanner(SshState *state, SshHeader *header, const uint8_t *input, uint32_t
input_len)* only consists only one spezial character **'\n'**, the program runs
into a heap buffer overfow.
## Reason
At **line 76** in the function *SSHParseBanner*, the program search for a “'\r'”.
If not, then match the input with a “'\n'”.
After this point line_len is “0”. And this is the problem.
At line 97, we subtract “-4” from line_len and we get a negativ integer.
Unfortunatly, input_len is an unsigned integer and smaall negativ integers are now very big unsigned integers.
The result is, that the **input_len** is much higher then the given buffer.
The function *BasicSearch* needs the length and will crash by of reading to much memory space
because of the high input_len value.
This results in a heap-buffer-overflow.

Related issues

Copied to Bug #2944: ssh: heap buffer overflow (master)ClosedActions

History

#1

Updated by Victor Julien 7 months ago

  • Copied to Bug #2944: ssh: heap buffer overflow (master) added
#2

Updated by Victor Julien 7 months ago

  • Status changed from Assigned to Closed
#3

Updated by Victor Julien 7 months ago

  • Private changed from Yes to No

Also available in: Atom PDF