Re: ssh crc32 exploit on Linux

From: Michel Kaempf (maxxat_private)
Date: Sun Apr 29 2001 - 04:55:35 PDT

Next message: Marcin Dawcewicz: "Re: Hijack IP Address using cable modem"

Previous message: Rev. Chris Cappuccio: "Re: Hijack IP Address using cable modem"
In reply to: Michel Arboi: "Re: ssh crc32 exploit on Linux"
Next in thread: Michael Wojcik: "Re: ssh crc32 exploit on Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 28, 2001, Michel Arboi wrote:
> > However, I found that only the realloc() does this, but for some
> > reason, an original malloc(0) works fine.
>
> Looks illogical...

Well, it is not, actually. The explanation below concerns glibc, which
uses Doug Lea's Malloc, and is more or less an excerpt from the very
well commented malloc.c file.

malloc with a size argument of zero allocates a minimum-sized chunk
(currently 16, 24, or 32 bytes... 16 bytes on Linux i386 systems for
example). Only 12 bytes can be used by the user, because malloc adds 4
bytes overhead (but anyway, if the user requested 0 bytes he should not
use the space provided at all).

realloc with a size argument of zero (re)allocates a minimum-sized
chunk, or frees the previous allocated chunk if REALLOC_ZERO_BYTES_FREES
is defined in malloc.c. And the default *is* to define
REALLOC_ZERO_BYTES_FREES, so realloc with a size argument of zero frees
the chunk and returns NULL.

--
MaXX

Next message: Marcin Dawcewicz: "Re: Hijack IP Address using cable modem"
Previous message: Rev. Chris Cappuccio: "Re: Hijack IP Address using cable modem"
In reply to: Michel Arboi: "Re: ssh crc32 exploit on Linux"
Next in thread: Michael Wojcik: "Re: ssh crc32 exploit on Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 18:32:04 PDT