jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

Correct handle pam_ssh_agent_auth memory, buffers and variable sizes, which caused segfaults (#1225106)

Browse Source
This commit is contained in:
Jakub Jelen 2015-06-02 13:28:54 +02:00
parent 8a10dcb363
commit 73d45fa321
2 changed files with 57 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
openssh-6.7p1-coverity.patch
View File

@ -167,19 +167,6 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"') if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */ cp++; /* Skip both */
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity 2015-03-18 17:21:51.786265063 +0100
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-03-18 17:21:51.898264829 +0100
@@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id)
authenticated = 1;
user_auth_clean_exit:
- if(&b != NULL)
- buffer_free(&b);
+ buffer_free(&b);
if(sig != NULL)
free(sig);
if(pkblob != NULL)
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100 --- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100 +++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100

80
pam_ssh_agent_auth-0.9.3-agent_structure.patch
View File

@ -1,7 +1,6 @@
diff --git a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
index 9555e7e..c17aae6 100644 --- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent 2015-06-02 16:43:09.231902255 +0200
--- a/iterate_ssh_agent_keys.c 2015-05-27 14:09:13.591407306 +0200 +++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2015-06-02 16:43:09.235902253 +0200
+++ b/iterate_ssh_agent_keys.c 2015-05-27 14:10:33.216267826 +0200
@@ -37,6 +37,7 @@ @@ -37,6 +37,7 @@
#include "buffer.h" #include "buffer.h"
#include "key.h" #include "key.h"
@ -10,7 +9,7 @@ index 9555e7e..c17aae6 100644
#include "ssh.h" #include "ssh.h"
#include <stdio.h> #include <stdio.h>
#include <sys/types.h> #include <sys/types.h>
@@ -177,22 +177,28 @@ int @@ -177,34 +178,40 @@ int
find_authorized_keys(uid_t uid) find_authorized_keys(uid_t uid)
{ {
Identity *id; Identity *id;
@ -18,8 +17,8 @@ index 9555e7e..c17aae6 100644
AuthenticationConnection *ac; AuthenticationConnection *ac;
- char *comment; - char *comment;
uint8_t retval = 0; uint8_t retval = 0;
+ struct ssh_identitylist *idlist; + struct ssh_identitylist *idlist;
+ int r, i; + int r, i;
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
session_id2 = session_id2_gen(); session_id2 = session_id2_gen();
@ -32,7 +31,7 @@ index 9555e7e..c17aae6 100644
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES) + if (r != SSH_ERR_AGENT_NO_IDENTITIES)
+ fprintf(stderr, "error fetching identities for " + fprintf(stderr, "error fetching identities for "
+ "protocol %d: %s\n", 2, ssh_err(r)); + "protocol %d: %s\n", 2, ssh_err(r));
+ } + } else
+ for (i = 0; i < idlist->nkeys; i++) + for (i = 0; i < idlist->nkeys; i++)
{ {
- if(key != NULL) { - if(key != NULL) {
@ -45,22 +44,24 @@ index 9555e7e..c17aae6 100644
id->ac = ac; id->ac = ac;
if(userauth_pubkey_from_id(id)) { if(userauth_pubkey_from_id(id)) {
retval = 1; retval = 1;
@@ -204,7 +211,10 @@ find_authorized_keys(uid_t uid) }
- free(id->filename);
- key_free(id->key);
free(id);
if(retval == 1)
break; break;
} }
} }
+ ssh_free_identitylist(idlist);
+ ssh_close_authentication_socket(ac->fd);
+ buffer_free(&ac->identities);
+ free(ac);
- ssh_close_authentication_connection(ac); - ssh_close_authentication_connection(ac);
+ ssh_free_identitylist(idlist);
+ ssh_close_authentication_socket(ac->fd);
+ free(ac);
} }
else { else {
verbose("No ssh-agent could be contacted"); verbose("No ssh-agent could be contacted");
diff --git a/pam_ssh_agent_auth-0.9.3/identity.h b/pam_ssh_agent_auth-0.9.3/identity.h diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h
index eb21320..c00da34 100644 --- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent 2009-08-09 02:54:21.000000000 +0200
--- a/pam_ssh_agent_auth-0.9.3/identity.h +++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h 2015-06-02 16:43:09.235902253 +0200
+++ b/pam_ssh_agent_auth-0.9.3/identity.h
@@ -14,6 +14,12 @@ @@ -14,6 +14,12 @@
typedef struct identity Identity; typedef struct identity Identity;
typedef struct idlist Idlist; typedef struct idlist Idlist;
@ -74,11 +75,37 @@ index eb21320..c00da34 100644
struct identity { struct identity {
TAILQ_ENTRY(identity) next; TAILQ_ENTRY(identity) next;
AuthenticationConnection *ac; /* set if agent supports key */ AuthenticationConnection *ac; /* set if agent supports key */
diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
index 323817a..93b928f 100644 --- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent 2015-06-02 16:43:09.232902254 +0200
--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c +++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-06-02 16:45:07.699822094 +0200
+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c @@ -54,10 +54,11 @@ extern uint8_t session_id_len;
@@ -81,7 +81,7 @@ userauth_pubkey_from_id(Identity * id) int
userauth_pubkey_from_id(Identity * id)
{
- Buffer b = { 0 };
+ Buffer b;
char *pkalg = NULL;
u_char *pkblob = NULL, *sig = NULL;
- u_int blen = 0, slen = 0;
+ u_int blen = 0;
+ size_t slen = 0;
int authenticated = 0;
pkalg = (char *) key_ssh_name(id->key);
@@ -65,10 +65,10 @@ userauth_pubkey_from_id(Identity * id)
/* first test if this key is even allowed */
if(! pam_user_key_allowed(id->key))
- goto user_auth_clean_exit;
+ goto user_auth_clean_exit_without_buffer;
if(key_to_blob(id->key, &pkblob, &blen) == 0)
- goto user_auth_clean_exit;
+ goto user_auth_clean_exit_without_buffer;
/* construct packet to sign and test */
buffer_init(&b);
@@ -70,7 +70,7 @@ userauth_pubkey_from_id(Identity * id)
buffer_put_cstring(&b, pkalg); buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen); buffer_put_string(&b, pkblob, blen);
@ -87,4 +114,11 @@ index 323817a..93b928f 100644
goto user_auth_clean_exit; goto user_auth_clean_exit;
/* test for correct signature */ /* test for correct signature */
@@ -92,6 +92,7 @@ userauth_pubkey_from_id(Identity * id)
user_auth_clean_exit:
if(&b != NULL)
buffer_free(&b);
+ user_auth_clean_exit_without_buffer:
if(sig != NULL)
free(sig);
if(pkblob != NULL)