1. Systems affected:
	All versions of OpenSSH between 2.0 and 3.0.2 contain

	an off-by-one error in the channel code.
	OpenSSH 3.1 and later are not affected.
2. Impact:
        This bug can be exploited locally by an authenticated user

        logging into a vulnerable OpenSSH server or by a malicious

        SSH server attacking a vulnerable OpenSSH client.
3. Solution:
	Upgrade to OpenSSH 3.1 or apply the following patch.
4. Credits:
	This bug was discovered by Joost Pol 
Appendix:
Index: channels.c

===================================================================

RCS file: /cvs/src/usr.bin/ssh/channels.c,v

retrieving revision 1.170

retrieving revision 1.171

diff -u -r1.170 -r1.171

--- channels.c	27 Feb 2002 21:23:13 -0000	1.170

+++ channels.c	4 Mar 2002 19:37:58 -0000	1.171

@@ -146,7 +146,7 @@

 {

 	Channel *c;
-	if (id < 0 || id > channels_alloc) {

+	if (id < 0 || id >= channels_alloc) {

 		log("channel_lookup: %d: bad id", id);

 		return NULL;

 	}