set sshpam_ctxt to NULL after free

Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@
2015-08-11 13:34:12 +10:00 · 2015-08-11 13:34:12 +10:00 · 5e75f51987
parent d4697fe9a2
commit 5e75f51987
1 changed files with 3 additions and 1 deletions
--- a/monitor.c
+++ b/monitor.c
@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;

 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif