Attachment 97507 Details for Bug 148228 – openssh-4.3_p2-identical-simple-dos.patch

[patch] openssh-4.3_p2-identical-simple-dos.patch

openssh-4.3_p2-identical-simple-dos.patch (text/plain), 3.44 KB, created by SpanKY on 2006-09-19 21:23:35 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: SpanKY

Created: 2006-09-19 21:23:35 UTC

Size: 3.44 KB

patch

obsolete

>http://bugs.gentoo.org/148228
>
>taken from upstream cvs and munged a little to apply against 4.3p2
>
>===================================================================
>RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v
>retrieving revision 1.29
>retrieving revision 1.30
>diff -u -r1.29 -r1.30
>--- src/usr.bin/ssh/deattack.c	2006/08/03 03:34:42	1.29
>+++ src/usr.bin/ssh/deattack.c	2006/09/16 19:53:37	1.30
>@@ -30,6 +30,24 @@
> #include "crc32.h"
> #include "misc.h"
> 
>+/*
>+ * CRC attack detection has a worst-case behaviour that is O(N^3) over
>+ * the number of identical blocks in a packet. This behaviour can be 
>+ * exploited to create a limited denial of service attack. 
>+ * 
>+ * However, because we are dealing with encrypted data, identical
>+ * blocks should only occur every 2^35 maximally-sized packets or so. 
>+ * Consequently, we can detect this DoS by looking for identical blocks
>+ * in a packet.
>+ *
>+ * The parameter below determines how many identical blocks we will
>+ * accept in a single packet, trading off between attack detection and
>+ * likelihood of terminating a legitimate connection. A value of 32 
>+ * corresponds to an average of 2^40 messages before an attack is
>+ * misdetected
>+ */
>+#define MAX_IDENTICAL	32
>+
> /* SSH Constants */
> #define SSH_MAXBLOCKS	(32 * 1024)
> #define SSH_BLOCKSIZE	(8)
>@@ -85,7 +103,7 @@
> 	static u_int16_t *h = (u_int16_t *) NULL;
> 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
> 	u_int32_t i, j;
>-	u_int32_t l;
>+	u_int32_t l, same;
> 	u_char *c;
> 	u_char *d;
> 
>@@ -122,11 +140,13 @@
> 	if (IV)
> 		h[HASH(IV) & (n - 1)] = HASH_IV;
> 
>-	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
>+	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
> 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
> 		    i = (i + 1) & (n - 1)) {
> 			if (h[i] == HASH_IV) {
> 				if (!CMP(c, IV)) {
>+					if (++same > MAX_IDENTICAL)
>+						return (DEATTACK_DOS_DETECTED);
> 					if (check_crc(c, buf, len, IV))
> 						return (DEATTACK_DETECTED);
> 					else
>===================================================================
>RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v
>retrieving revision 1.143
>retrieving revision 1.144
>diff -u -r1.143 -r1.144
>--- src/usr.bin/ssh/packet.c	2006/08/05 08:34:04	1.143
>+++ src/usr.bin/ssh/packet.c	2006/09/16 19:53:37	1.144
>@@ -991,9 +991,16 @@
> 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
> 	 * Ariel Futoransky(futo@core-sdi.com)
> 	 */
>-	if (!receive_context.plaintext &&
>-	    detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
>-		packet_disconnect("crc32 compensation attack: network attack detected");
>+	if (!receive_context.plaintext) {
>+		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
>+		case DEATTACK_DETECTED:
>+			packet_disconnect("crc32 compensation attack: "
>+			    "network attack detected");
>+		case DEATTACK_DOS_DETECTED:
>+			packet_disconnect("deattack denial of "
>+			    "service detected");
>+		}
>+	}
> 
> 	/* Decrypt data to incoming_packet. */
> 	buffer_clear(&incoming_packet);
>===================================================================
>RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.h,v
>retrieving revision 1.9
>retrieving revision 1.10
>diff -u -r1.9 -r1.10
>--- src/usr.bin/ssh/deattack.h	2006/03/25 22:22:43	1.9
>+++ src/usr.bin/ssh/deattack.h	2006/09/16 19:53:37	1.10
>@@ -25,6 +25,7 @@
> /* Return codes */
> #define DEATTACK_OK		0
> #define DEATTACK_DETECTED	1
>+#define DEATTACK_DOS_DETECTED	2
> 
> int	 detect_attack(u_char *, u_int32_t);
> #endif

Actions: View | Diff

Attachments on bug 148228: 97507 | 97942