summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-12-05 10:23:21 +1100
committerDamien Miller <djm@mindrot.org>2013-12-05 10:23:21 +1100
commitf1e44ea9d9a6d4c1a95a0024132e603bd1778c9c (patch)
treeaece5d2a7be401bcac4930875a5c49c4f8990241
parent114e540b15d57618f9ebf624264298f80bbd8c77 (diff)
- djm@cvs.openbsd.org 2013/12/02 02:56:17
[ssh-pkcs11-helper.c] use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
-rw-r--r--ChangeLog3
-rw-r--r--ssh-pkcs11-helper.c5
2 files changed, 6 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 1aa9e80e1..ef9ad8515 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,9 @@
26 - djm@cvs.openbsd.org 2013/12/02 02:50:27 26 - djm@cvs.openbsd.org 2013/12/02 02:50:27
27 [PROTOCOL.chacha20poly1305] 27 [PROTOCOL.chacha20poly1305]
28 typo; from Jon Cave 28 typo; from Jon Cave
29 - djm@cvs.openbsd.org 2013/12/02 02:56:17
30 [ssh-pkcs11-helper.c]
31 use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
29 32
3020131121 3320131121
31 - (djm) OpenBSD CVS Sync 34 - (djm) OpenBSD CVS Sync
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index 39b2e7c56..b7c52beb8 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11-helper.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ 1/* $OpenBSD: ssh-pkcs11-helper.c,v 1.7 2013/12/02 02:56:17 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -127,7 +127,8 @@ process_add(void)
127 buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER); 127 buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER);
128 buffer_put_int(&msg, nkeys); 128 buffer_put_int(&msg, nkeys);
129 for (i = 0; i < nkeys; i++) { 129 for (i = 0; i < nkeys; i++) {
130 key_to_blob(keys[i], &blob, &blen); 130 if (key_to_blob(keys[i], &blob, &blen) == 0)
131 continue;
131 buffer_put_string(&msg, blob, blen); 132 buffer_put_string(&msg, blob, blen);
132 buffer_put_cstring(&msg, name); 133 buffer_put_cstring(&msg, name);
133 free(blob); 134 free(blob);