diff options
author | Damien Miller <djm@mindrot.org> | 2015-08-11 13:34:12 +1000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 21:45:05 +0100 |
commit | a97f75bc484762111ae4e994791f4a5af6294c26 (patch) | |
tree | 9a63fc857d39979bc87640622aa29cac8d51c72a | |
parent | f84305e9391e13c01a78df0d93e2edd40c14f601 (diff) |
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-pam-use-after-free.patch
-rw-r--r-- | monitor.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1225 | int | 1225 | int |
1226 | mm_answer_pam_free_ctx(int sock, Buffer *m) | 1226 | mm_answer_pam_free_ctx(int sock, Buffer *m) |
1227 | { | 1227 | { |
1228 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
1228 | 1229 | ||
1229 | debug3("%s", __func__); | 1230 | debug3("%s", __func__); |
1230 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1231 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1232 | sshpam_ctxt = sshpam_authok = NULL; | ||
1231 | buffer_clear(m); | 1233 | buffer_clear(m); |
1232 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1234 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1233 | auth_method = "keyboard-interactive"; | 1235 | auth_method = "keyboard-interactive"; |
1234 | auth_submethod = "pam"; | 1236 | auth_submethod = "pam"; |
1235 | return (sshpam_authok == sshpam_ctxt); | 1237 | return r; |
1236 | } | 1238 | } |
1237 | #endif | 1239 | #endif |
1238 | 1240 | ||