From: Antonio Larrosa <alarrosa@suse.com>
Date: Fri, 23 Aug 2024 10:21:06 +0000 (+0200)
Subject: Don't skip audit before exitting cleanup_exit
X-Git-Tag: V_9_9_P1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05f2b141cfcc60c7cdedf9450d2b9d390c19eaad;p=thirdparty%2Fopenssh-portable.git

Don't skip audit before exitting cleanup_exit

This fixes an issue where the SSH_CONNECTION_ABANDON event is not
audited because cleanup_exit overrides the regular _exit too soon and
as a result, failed auth attempts are not logged correctly.

The problem was introduced in 81c1099d22b81ebfd20a334ce986c4f753b0db29
where the code from upstream was merged before the audit_event call when
it should have been merged right before the _exit call in order to honor
the comment that just mentions an override of the exit value.
---

diff --git a/sshd-session.c b/sshd-session.c
index d089f10de..757435a1f 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1502,13 +1502,13 @@ cleanup_exit(int i)
 			}
 		}
 	}
-	/* Override default fatal exit value when auth was attempted */
-	if (i == 255 && auth_attempted)
-		_exit(EXIT_AUTH_ATTEMPTED);
 #ifdef SSH_AUDIT_EVENTS
 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
 	if (the_active_state != NULL && mm_is_monitor())
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
+	/* Override default fatal exit value when auth was attempted */
+	if (i == 255 && auth_attempted)
+		_exit(EXIT_AUTH_ATTEMPTED);
 	_exit(i);
 }