set sshpam_ctxt to NULL after free

Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
author: Damien Miller <djm@mindrot.org> 2015-08-11 13:34:12 +1000
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 18:33:42 +0100
commit: c0ec3def4bec4afe1cad9e99081e658200b13a02 (patch)
tree: d5e65fc684ffb2ed39d7bd131c75a1988b53fe1c
parent: 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 870a6b9e1..e8541b4fa 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+        int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
        debug3("%s", __func__);
        (sshpam_device.free_ctx)(sshpam_ctxt);
+        sshpam_ctxt = sshpam_authok = NULL;
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
        auth_method = "keyboard-interactive";
        auth_submethod = "pam";
-        return (sshpam_authok == sshpam_ctxt);
+        return r;
 }
 #endif
author	Damien Miller <djm@mindrot.org>	2015-08-11 13:34:12 +1000
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 18:33:42 +0100
commit	c0ec3def4bec4afe1cad9e99081e658200b13a02 (patch)
tree	d5e65fc684ffb2ed39d7bd131c75a1988b53fe1c
parent	5b83c6a466b2a7fe6aaf50e082c58fe63592e211 (diff)