aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2003-09-24 19:53:37 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2003-09-24 19:53:37 +0000
commit13b13bd51dece1e1c345b7e7a5fe79e68bb2e48e (patch)
treecd00a4dff255d08b93eac5f939b148de57cde889
parent0a88c805a791ba5095babc4e9f0b56db0fe93754 (diff)
downloadsrc-13b13bd51dece1e1c345b7e7a5fe79e68bb2e48e.tar.gz
src-13b13bd51dece1e1c345b7e7a5fe79e68bb2e48e.zip
MFS: plug a resource leak in ssh1 challenge/response code.
Notes
Notes: svn path=/releng/4.6/; revision=120415
-rw-r--r--crypto/openssh/auth-chall.c8
-rw-r--r--crypto/openssh/auth.h1
-rw-r--r--crypto/openssh/auth1.c14
3 files changed, 22 insertions, 1 deletions
diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
index 45e0c34522b1..62fd66212e14 100644
--- a/crypto/openssh/auth-chall.c
+++ b/crypto/openssh/auth-chall.c
@@ -80,3 +80,11 @@ verify_response(Authctxt *authctxt, const char *response)
authctxt->kbdintctxt = NULL;
return res ? 0 : 1;
}
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+ if (authctxt->kbdintctxt != NULL) {
+ device->free_ctx(authctxt->kbdintctxt);
+ authctxt->kbdintctxt = NULL;
+ }
+}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index 730b70d07fdb..4c622e2fec01 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -160,6 +160,7 @@ struct passwd * getpwnamallow(const char *user);
char *get_challenge(Authctxt *);
int verify_response(Authctxt *, const char *);
+void abandon_challenge_response(Authctxt *);
struct passwd * auth_get_user(void);
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 2ebc8d039b0d..78f90708b507 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -73,7 +73,7 @@ do_authloop(Authctxt *authctxt)
char info[1024];
u_int dlen;
u_int ulen;
- int type = 0;
+ int prev, type = 0;
struct passwd *pw = authctxt->pw;
debug("Attempting authentication for %s%.100s.",
@@ -103,8 +103,20 @@ do_authloop(Authctxt *authctxt)
info[0] = '\0';
/* Get a packet from the client. */
+ prev = type;
type = packet_read();
+ /*
+ * If we started challenge-response authentication but the
+ * next packet is not a response to our challenge, release
+ * the resources allocated by get_challenge() (which would
+ * normally have been released by verify_response() had we
+ * received such a response)
+ */
+ if (prev == SSH_CMSG_AUTH_TIS &&
+ type != SSH_CMSG_AUTH_TIS_RESPONSE)
+ abandon_challenge_response(authctxt);
+
/* Process the packet. */
switch (type) {