set sshpam_ctxt to NULL after free

Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
author: Damien Miller <djm@mindrot.org> 2015-08-11 13:34:12 +1000
committer: Colin Watson <cjwatson@debian.org> 2015-09-08 14:50:03 +0100
commit: 5811884269955979919121440a57a7475a4f9eac (patch)
tree: 4f766e21622d700917c706423becb1d9e11fc6aa
parent: 7de26a97986c8032bf1869347a2ceaee1d64f857 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 870a6b9e1..e8541b4fa 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+        int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
        debug3("%s", __func__);
        (sshpam_device.free_ctx)(sshpam_ctxt);
+        sshpam_ctxt = sshpam_authok = NULL;
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
        auth_method = "keyboard-interactive";
        auth_submethod = "pam";
-        return (sshpam_authok == sshpam_ctxt);
+        return r;
 }
 #endif
author	Damien Miller <djm@mindrot.org>	2015-08-11 13:34:12 +1000
committer	Colin Watson <cjwatson@debian.org>	2015-09-08 14:50:03 +0100
commit	5811884269955979919121440a57a7475a4f9eac (patch)
tree	4f766e21622d700917c706423becb1d9e11fc6aa
parent	7de26a97986c8032bf1869347a2ceaee1d64f857 (diff)