diff options
author | Damien Miller <djm@mindrot.org> | 2015-08-11 13:34:12 +1000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-11-24 20:45:17 +0000 |
commit | fddd7fcb2ccb2cfdd88328d1149c0c31fcf21447 (patch) | |
tree | 04711e69dee55ddadc548b4169cc6b2b0d38cdde /monitor.c | |
parent | 4e1468d9745c5e32d99cd85386dfc74e90a5cf14 (diff) |
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: backport-pam-use-after-free.patch
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1209,14 +1209,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1209 | int | 1209 | int |
1210 | mm_answer_pam_free_ctx(int sock, Buffer *m) | 1210 | mm_answer_pam_free_ctx(int sock, Buffer *m) |
1211 | { | 1211 | { |
1212 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
1212 | 1213 | ||
1213 | debug3("%s", __func__); | 1214 | debug3("%s", __func__); |
1214 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1215 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1216 | sshpam_ctxt = sshpam_authok = NULL; | ||
1215 | buffer_clear(m); | 1217 | buffer_clear(m); |
1216 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1218 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1217 | auth_method = "keyboard-interactive"; | 1219 | auth_method = "keyboard-interactive"; |
1218 | auth_submethod = "pam"; | 1220 | auth_submethod = "pam"; |
1219 | return (sshpam_authok == sshpam_ctxt); | 1221 | return r; |
1220 | } | 1222 | } |
1221 | #endif | 1223 | #endif |
1222 | 1224 | ||