summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2015-08-11 13:34:12 +1000
committerColin Watson <cjwatson@debian.org>2015-09-08 14:50:03 +0100
commit5811884269955979919121440a57a7475a4f9eac (patch)
tree4f766e21622d700917c706423becb1d9e11fc6aa
parent7de26a97986c8032bf1869347a2ceaee1d64f857 (diff)
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
-rw-r--r--monitor.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 870a6b9e1..e8541b4fa 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
1225int 1225int
1226mm_answer_pam_free_ctx(int sock, Buffer *m) 1226mm_answer_pam_free_ctx(int sock, Buffer *m)
1227{ 1227{
1228 int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
1228 1229
1229 debug3("%s", __func__); 1230 debug3("%s", __func__);
1230 (sshpam_device.free_ctx)(sshpam_ctxt); 1231 (sshpam_device.free_ctx)(sshpam_ctxt);
1232 sshpam_ctxt = sshpam_authok = NULL;
1231 buffer_clear(m); 1233 buffer_clear(m);
1232 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 1234 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1233 auth_method = "keyboard-interactive"; 1235 auth_method = "keyboard-interactive";
1234 auth_submethod = "pam"; 1236 auth_submethod = "pam";
1235 return (sshpam_authok == sshpam_ctxt); 1237 return r;
1236} 1238}
1237#endif 1239#endif
1238 1240