set sshpam_ctxt to NULL after free

Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
author: Damien Miller <djm@mindrot.org> 2015-08-11 13:34:12 +1000
committer: Colin Watson <cjwatson@debian.org> 2015-11-24 20:45:17 +0000
commit: fddd7fcb2ccb2cfdd88328d1149c0c31fcf21447 (patch)
tree: 04711e69dee55ddadc548b4169cc6b2b0d38cdde
parent: 4e1468d9745c5e32d99cd85386dfc74e90a5cf14 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 3fc9253e4..c063ad1a0 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1209,14 +1209,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+        int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
        debug3("%s", __func__);
        (sshpam_device.free_ctx)(sshpam_ctxt);
+        sshpam_ctxt = sshpam_authok = NULL;
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
        auth_method = "keyboard-interactive";
        auth_submethod = "pam";
-        return (sshpam_authok == sshpam_ctxt);
+        return r;
 }
 #endif
author	Damien Miller <djm@mindrot.org>	2015-08-11 13:34:12 +1000
committer	Colin Watson <cjwatson@debian.org>	2015-11-24 20:45:17 +0000
commit	fddd7fcb2ccb2cfdd88328d1149c0c31fcf21447 (patch)
tree	04711e69dee55ddadc548b4169cc6b2b0d38cdde
parent	4e1468d9745c5e32d99cd85386dfc74e90a5cf14 (diff)