[22973] in bugtraq
Re: SSH deja vu
daemon@ATHENA.MIT.EDU (Lucian Hudin)
Wed Oct 24 01:04:42 2001
Date: Wed, 24 Oct 2001 00:18:06 +0300 (EEST)
From: Lucian Hudin <luci@warp.transart.ro>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Max Parke <mhp@lightlink.com>, <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.21.0110231558500.1309-100000@nimue.bos.bindview.com>
Message-ID: <Pine.LNX.4.30.0110240004490.29114-100000@warp.transart.ro>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I don't know about any teso exploit, but what I want to mention is
that I rememeber studying this problem myself and I've found
that the crc32 bug doesn't manifest under operating systems that
return NULL on realloc(ptr, 0);
So if the exploit is based on the fact that realloc(ptr, 0) will
NOT return NULL, Linux & W2k (systems I have access on) were never
actually vulnerable.
The Linux realloc manual says :
"realloc() returns a pointer to the newly allocated memory, which is
suitably aligned for any kind of variable and may be different
from ptr, or NULL if the request fails or if size was equal to 0.
CONFORMING TO
ANSI-C
"
Regards,
Luci
