CVE-2003-0693
Description
A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <3.7
Patches
Vulnerability mechanics
Root cause
"Buffer management error: allocation size metadata is updated before the actual memory allocation succeeds, so a failed realloc leaves an inconsistent size that is later used to free memory incorrectly."
Attack vector
An attacker can send crafted SSH protocol messages that cause the internal buffer to be reallocated. If the reallocation fails (e.g., due to memory pressure), the buffer management error in `buffer_append_space` or `channel_new` leaves `buffer->alloc` or `channels_alloc` inconsistent with the actual allocated memory. A subsequent call to `buffer_free` then passes an incorrect size to `memset` and `xfree`, corrupting the heap. This can potentially be leveraged to execute arbitrary code on the sshd process [ref_id=1].
Affected code
The vulnerability resides in `buffer.c` (functions `buffer_init`, `buffer_free`, `buffer_append_space`) and `channels.c` (function `channel_new`). In `buffer_init`, `buffer->alloc` was set before `buffer->buf` was allocated, so if `xmalloc` failed the freed size would be wrong. In `buffer_append_space`, the allocation size was updated before calling `xrealloc`, so a failed realloc could leave `buffer->alloc` inconsistent with the actual buffer size. In `channel_new`, `channels_alloc` was incremented before `xrealloc`, so a failed realloc would leave the count inconsistent with the array size [ref_id=1].
What the fix does
The patch reorders operations in `buffer_init` so that `buffer->alloc` is set to 0 before `xmalloc`, then updated to the actual allocation size only after success. In `buffer_append_space`, a temporary variable `newlen` is computed first; only after `xrealloc` succeeds is `buffer->alloc` updated. In `buffer_free`, a guard checks `buffer->alloc > 0` before using it. In `channel_new`, `channels_alloc` is incremented only after `xrealloc` succeeds. These changes ensure that allocation size metadata always matches the actual buffer size, preventing incorrect `memset`/`xfree` calls that could corrupt the heap [ref_id=1].
Preconditions
- networkAttacker must be able to establish a TCP connection to the sshd port and send SSH protocol messages that trigger buffer reallocation.
- inputThe system must be under memory pressure or the attacker must craft messages to cause a reallocation failure.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- www.kb.cert.org/vuls/id/333628nvdPatchThird Party AdvisoryUS Government Resource
- www.cert.org/advisories/CA-2003-24.htmlnvdUS Government Resource
- lists.grok.org.uk/pipermail/full-disclosure/2003-September/010103.htmlnvd
- lists.grok.org.uk/pipermail/full-disclosure/2003-September/010135.htmlnvd
- lists.grok.org.uk/pipermail/full-disclosure/2003-September/010146.htmlnvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- sunsolve.sun.com/search/document.donvd
- www.debian.org/security/2003/dsa-382nvd
- www.debian.org/security/2003/dsa-383nvd
- www.mandriva.com/security/advisoriesnvd
- www.openssh.com/txt/buffer.advnvd
- www.openwall.com/lists/oss-security/2024/07/01/3nvd
- www.redhat.com/support/errata/RHSA-2003-280.htmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/13191nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2719nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A447nvd
News mentions
0No linked articles in our index yet.