summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2015-08-11 13:34:12 +1000
committerColin Watson <cjwatson@debian.org>2015-11-24 20:45:17 +0000
commitfddd7fcb2ccb2cfdd88328d1149c0c31fcf21447 (patch)
tree04711e69dee55ddadc548b4169cc6b2b0d38cdde /monitor.c
parent4e1468d9745c5e32d99cd85386dfc74e90a5cf14 (diff)
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 3fc9253e4..c063ad1a0 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1209,14 +1209,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
1209int 1209int
1210mm_answer_pam_free_ctx(int sock, Buffer *m) 1210mm_answer_pam_free_ctx(int sock, Buffer *m)
1211{ 1211{
1212 int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
1212 1213
1213 debug3("%s", __func__); 1214 debug3("%s", __func__);
1214 (sshpam_device.free_ctx)(sshpam_ctxt); 1215 (sshpam_device.free_ctx)(sshpam_ctxt);
1216 sshpam_ctxt = sshpam_authok = NULL;
1215 buffer_clear(m); 1217 buffer_clear(m);
1216 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 1218 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1217 auth_method = "keyboard-interactive"; 1219 auth_method = "keyboard-interactive";
1218 auth_submethod = "pam"; 1220 auth_submethod = "pam";
1219 return (sshpam_authok == sshpam_ctxt); 1221 return r;
1220} 1222}
1221#endif 1223#endif
1222 1224