set sshpam_ctxt to NULL after free

Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@

diff --git a/monitor.c b/monitor.c
index f1b873dc4d7db3a59272dd64eccd83550731866c..a91420983ba86eda2619e629265897b3fefed53a 100644 (file)
--- a/monitor.c
+++ b/monitor.c
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+       int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
        debug3("%s", __func__);
        (sshpam_device.free_ctx)(sshpam_ctxt);
+       sshpam_ctxt = sshpam_authok = NULL;
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
        auth_method = "keyboard-interactive";
        auth_submethod = "pam";
-       return (sshpam_authok == sshpam_ctxt);
+       return r;
 }
 #endif