From: Damien Miller <djm@mindrot.org>
Date: Tue, 11 Aug 2015 03:34:12 +0000 (+1000)
Subject: set sshpam_ctxt to NULL after free
X-Git-Tag: V_7_0_P1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e75f5198769056089fb06c4d738ab0e5abc66f7;p=thirdparty%2Fopenssh-portable.git

set sshpam_ctxt to NULL after free

Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
---

diff --git a/monitor.c b/monitor.c
index f1b873dc4..a91420983 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif