diff options
author | Damien Miller <djm@mindrot.org> | 2015-08-11 13:34:12 +1000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-09-08 14:50:03 +0100 |
commit | 5811884269955979919121440a57a7475a4f9eac (patch) | |
tree | 4f766e21622d700917c706423becb1d9e11fc6aa | |
parent | 7de26a97986c8032bf1869347a2ceaee1d64f857 (diff) |
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-pam-use-after-free.patch
-rw-r--r-- | monitor.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1225 | int | 1225 | int |
1226 | mm_answer_pam_free_ctx(int sock, Buffer *m) | 1226 | mm_answer_pam_free_ctx(int sock, Buffer *m) |
1227 | { | 1227 | { |
1228 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
1228 | 1229 | ||
1229 | debug3("%s", __func__); | 1230 | debug3("%s", __func__); |
1230 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1231 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1232 | sshpam_ctxt = sshpam_authok = NULL; | ||
1231 | buffer_clear(m); | 1233 | buffer_clear(m); |
1232 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1234 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1233 | auth_method = "keyboard-interactive"; | 1235 | auth_method = "keyboard-interactive"; |
1234 | auth_submethod = "pam"; | 1236 | auth_submethod = "pam"; |
1235 | return (sshpam_authok == sshpam_ctxt); | 1237 | return r; |
1236 | } | 1238 | } |
1237 | #endif | 1239 | #endif |
1238 | 1240 | ||