| Summary: | Simplify handling of SSH_CONNECTION in auth-pam | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | miazgapow | ||||||
| Component: | PAM support | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||
| Status: | CLOSED FIXED | ||||||||
| Severity: | enhancement | CC: | djm, dtucker | ||||||
| Priority: | P5 | ||||||||
| Version: | 9.1p1 | ||||||||
| Hardware: | Other | ||||||||
| OS: | Linux | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 3480 | ||||||||
| Attachments: |
|
||||||||
|
Description
miazgapow
2022-12-09 05:47:41 AEDT
I agree with your analysis. Putting on list for 9.2. Actually looking more closely I don't think it can leak. sshpam_conninfo is allocated at the same time as sshpam_rhost, which is also a global. On subsequent calls to sshpam_init, sshpam_rhost will already be set so sshpam_conninfo will not be re-populated, but it will get used again for pam_putenv. Freeing sshpam_conninfo would mean the during subsequent calls to sshpam_init it would not be available (either NULL if it was nulled out, or a use-after-free if not). Created attachment 3643 [details]
Do not store sshpam_conninfo across calls to sshpam_init
Those things said, the content of sshpam_conninfo is constructed of things that are guaranteed to be available (remote host and port, local port and address) so we don't actually need to cache it across calls at all and thus it doesn't need to be static or global. This puts all of the conninfo bits in one place.
Created attachment 3644 [details]
Do not store sshpam_conninfo across calls to sshpam_init
Damien points out that sshpam_init does get called without the ssh context, so my first patch is not correct.
Thanks for the report, we've made the SSH_CONNECTION handling hopefully clearer. OpenSSH 9.3 has been released. Close resolved bugs |