Correct handle pam_ssh_agent_auth memory, buffers and variable sizes, which caused segfaults (#1225106)
This commit is contained in:
parent
8a10dcb363
commit
73d45fa321
@ -167,19 +167,6 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity
|
||||
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
||||
if (*cp == '\\' && cp[1] == '"')
|
||||
cp++; /* Skip both */
|
||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity 2015-03-18 17:21:51.786265063 +0100
|
||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-03-18 17:21:51.898264829 +0100
|
||||
@@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id)
|
||||
authenticated = 1;
|
||||
|
||||
user_auth_clean_exit:
|
||||
- if(&b != NULL)
|
||||
- buffer_free(&b);
|
||||
+ buffer_free(&b);
|
||||
if(sig != NULL)
|
||||
free(sig);
|
||||
if(pkblob != NULL)
|
||||
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
|
||||
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
|
||||
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
|
||||
|
@ -1,7 +1,6 @@
|
||||
diff --git a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
||||
index 9555e7e..c17aae6 100644
|
||||
--- a/iterate_ssh_agent_keys.c 2015-05-27 14:09:13.591407306 +0200
|
||||
+++ b/iterate_ssh_agent_keys.c 2015-05-27 14:10:33.216267826 +0200
|
||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent 2015-06-02 16:43:09.231902255 +0200
|
||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2015-06-02 16:43:09.235902253 +0200
|
||||
@@ -37,6 +37,7 @@
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
@ -10,7 +9,7 @@ index 9555e7e..c17aae6 100644
|
||||
#include "ssh.h"
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
@@ -177,22 +177,28 @@ int
|
||||
@@ -177,34 +178,40 @@ int
|
||||
find_authorized_keys(uid_t uid)
|
||||
{
|
||||
Identity *id;
|
||||
@ -32,7 +31,7 @@ index 9555e7e..c17aae6 100644
|
||||
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
||||
+ fprintf(stderr, "error fetching identities for "
|
||||
+ "protocol %d: %s\n", 2, ssh_err(r));
|
||||
+ }
|
||||
+ } else
|
||||
+ for (i = 0; i < idlist->nkeys; i++)
|
||||
{
|
||||
- if(key != NULL) {
|
||||
@ -45,22 +44,24 @@ index 9555e7e..c17aae6 100644
|
||||
id->ac = ac;
|
||||
if(userauth_pubkey_from_id(id)) {
|
||||
retval = 1;
|
||||
@@ -204,7 +211,10 @@ find_authorized_keys(uid_t uid)
|
||||
}
|
||||
- free(id->filename);
|
||||
- key_free(id->key);
|
||||
free(id);
|
||||
if(retval == 1)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- ssh_close_authentication_connection(ac);
|
||||
+ ssh_free_identitylist(idlist);
|
||||
+ ssh_close_authentication_socket(ac->fd);
|
||||
+ buffer_free(&ac->identities);
|
||||
+ free(ac);
|
||||
- ssh_close_authentication_connection(ac);
|
||||
}
|
||||
else {
|
||||
verbose("No ssh-agent could be contacted");
|
||||
diff --git a/pam_ssh_agent_auth-0.9.3/identity.h b/pam_ssh_agent_auth-0.9.3/identity.h
|
||||
index eb21320..c00da34 100644
|
||||
--- a/pam_ssh_agent_auth-0.9.3/identity.h
|
||||
+++ b/pam_ssh_agent_auth-0.9.3/identity.h
|
||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h
|
||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent 2009-08-09 02:54:21.000000000 +0200
|
||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h 2015-06-02 16:43:09.235902253 +0200
|
||||
@@ -14,6 +14,12 @@
|
||||
typedef struct identity Identity;
|
||||
typedef struct idlist Idlist;
|
||||
@ -74,11 +75,37 @@ index eb21320..c00da34 100644
|
||||
struct identity {
|
||||
TAILQ_ENTRY(identity) next;
|
||||
AuthenticationConnection *ac; /* set if agent supports key */
|
||||
diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
||||
index 323817a..93b928f 100644
|
||||
--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
||||
+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
||||
@@ -81,7 +81,7 @@ userauth_pubkey_from_id(Identity * id)
|
||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent 2015-06-02 16:43:09.232902254 +0200
|
||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-06-02 16:45:07.699822094 +0200
|
||||
@@ -54,10 +54,11 @@ extern uint8_t session_id_len;
|
||||
int
|
||||
userauth_pubkey_from_id(Identity * id)
|
||||
{
|
||||
- Buffer b = { 0 };
|
||||
+ Buffer b;
|
||||
char *pkalg = NULL;
|
||||
u_char *pkblob = NULL, *sig = NULL;
|
||||
- u_int blen = 0, slen = 0;
|
||||
+ u_int blen = 0;
|
||||
+ size_t slen = 0;
|
||||
int authenticated = 0;
|
||||
|
||||
pkalg = (char *) key_ssh_name(id->key);
|
||||
@@ -65,10 +65,10 @@ userauth_pubkey_from_id(Identity * id)
|
||||
|
||||
/* first test if this key is even allowed */
|
||||
if(! pam_user_key_allowed(id->key))
|
||||
- goto user_auth_clean_exit;
|
||||
+ goto user_auth_clean_exit_without_buffer;
|
||||
|
||||
if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
||||
- goto user_auth_clean_exit;
|
||||
+ goto user_auth_clean_exit_without_buffer;
|
||||
|
||||
/* construct packet to sign and test */
|
||||
buffer_init(&b);
|
||||
@@ -70,7 +70,7 @@ userauth_pubkey_from_id(Identity * id)
|
||||
buffer_put_cstring(&b, pkalg);
|
||||
buffer_put_string(&b, pkblob, blen);
|
||||
|
||||
@ -87,4 +114,11 @@ index 323817a..93b928f 100644
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
|
||||
@@ -92,6 +92,7 @@ userauth_pubkey_from_id(Identity * id)
|
||||
user_auth_clean_exit:
|
||||
if(&b != NULL)
|
||||
buffer_free(&b);
|
||||
+ user_auth_clean_exit_without_buffer:
|
||||
if(sig != NULL)
|
||||
free(sig);
|
||||
if(pkblob != NULL)
|
||||
|
Loading…
Reference in New Issue
Block a user