tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

set sshpam_ctxt to NULL after free 

Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
This commit is contained in:
Damien Miller 2015-08-11 13:34:12 +10:00
parent d4697fe9a2
commit 5e75f51987
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
monitor.c
View File

@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
int int
mm_answer_pam_free_ctx(int sock, Buffer *m) mm_answer_pam_free_ctx(int sock, Buffer *m)
{ {
int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__); debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt); (sshpam_device.free_ctx)(sshpam_ctxt);
sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m); buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive"; auth_method = "keyboard-interactive";
auth_submethod = "pam"; auth_submethod = "pam";
return (sshpam_authok == sshpam_ctxt); return r;
} }
#endif #endif