From d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 11 Aug 2015 13:33:24 +1000 Subject: Don't resend username to PAM; it already has it. Pointed out by Moritz Jodeit; ok dtucker@ --- monitor.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'monitor.c') diff --git a/monitor.c b/monitor.c index b4109657e..f1b873dc4 100644 --- a/monitor.c +++ b/monitor.c @@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; int mm_answer_pam_init_ctx(int sock, Buffer *m) { - debug3("%s", __func__); - authctxt->user = buffer_get_string(m, NULL); sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); sshpam_authok = NULL; buffer_clear(m); -- cgit v1.2.3 From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 11 Aug 2015 13:34:12 +1000 Subject: set sshpam_ctxt to NULL after free Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ --- monitor.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'monitor.c') diff --git a/monitor.c b/monitor.c index f1b873dc4..a91420983 100644 --- a/monitor.c +++ b/monitor.c @@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) int mm_answer_pam_free_ctx(int sock, Buffer *m) { + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; debug3("%s", __func__); (sshpam_device.free_ctx)(sshpam_ctxt); + sshpam_ctxt = sshpam_authok = NULL; buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); auth_method = "keyboard-interactive"; auth_submethod = "pam"; - return (sshpam_authok == sshpam_ctxt); + return r; } #endif -- cgit v1.2.3