diff options
| author | Damien Miller <djm@mindrot.org> | 2015-08-11 13:34:12 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-08-11 13:36:00 +1000 |
| commit | 5e75f5198769056089fb06c4d738ab0e5abc66f7 (patch) | |
| tree | 939fc57f4ad54019d9d749abaa2e2d4b606a9116 /monitor.c | |
| parent | d4697fe9a28dab7255c60433e4dd23cf7fce8a8b (diff) | |
set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 4 |
1 files changed, 3 insertions, 1 deletions
| @@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
| 1166 | int | 1166 | int |
| 1167 | mm_answer_pam_free_ctx(int sock, Buffer *m) | 1167 | mm_answer_pam_free_ctx(int sock, Buffer *m) |
| 1168 | { | 1168 | { |
| 1169 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
| 1169 | 1170 | ||
| 1170 | debug3("%s", __func__); | 1171 | debug3("%s", __func__); |
| 1171 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1172 | (sshpam_device.free_ctx)(sshpam_ctxt); |
| 1173 | sshpam_ctxt = sshpam_authok = NULL; | ||
| 1172 | buffer_clear(m); | 1174 | buffer_clear(m); |
| 1173 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1175 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
| 1174 | auth_method = "keyboard-interactive"; | 1176 | auth_method = "keyboard-interactive"; |
| 1175 | auth_submethod = "pam"; | 1177 | auth_submethod = "pam"; |
| 1176 | return (sshpam_authok == sshpam_ctxt); | 1178 | return r; |
| 1177 | } | 1179 | } |
| 1178 | #endif | 1180 | #endif |
| 1179 | 1181 | ||