diff options
author | Damien Miller <djm@mindrot.org> | 2015-08-11 13:34:12 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-08-11 13:36:00 +1000 |
commit | 5e75f5198769056089fb06c4d738ab0e5abc66f7 (patch) | |
tree | 939fc57f4ad54019d9d749abaa2e2d4b606a9116 /monitor.c | |
parent | d4697fe9a28dab7255c60433e4dd23cf7fce8a8b (diff) |
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1166 | int | 1166 | int |
1167 | mm_answer_pam_free_ctx(int sock, Buffer *m) | 1167 | mm_answer_pam_free_ctx(int sock, Buffer *m) |
1168 | { | 1168 | { |
1169 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
1169 | 1170 | ||
1170 | debug3("%s", __func__); | 1171 | debug3("%s", __func__); |
1171 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1172 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1173 | sshpam_ctxt = sshpam_authok = NULL; | ||
1172 | buffer_clear(m); | 1174 | buffer_clear(m); |
1173 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1175 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1174 | auth_method = "keyboard-interactive"; | 1176 | auth_method = "keyboard-interactive"; |
1175 | auth_submethod = "pam"; | 1177 | auth_submethod = "pam"; |
1176 | return (sshpam_authok == sshpam_ctxt); | 1178 | return r; |
1177 | } | 1179 | } |
1178 | #endif | 1180 | #endif |
1179 | 1181 | ||