Bug 170

Summary: Double free() and heap corruption when krb4 auth fails
Product: Portable OpenSSH Reporter: Rolf Braun <rbraun+ssh>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: major    
Priority: P2    
Version: -current   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch to fix double free() when krb4 auth fails none

Description Rolf Braun 2002-03-18 11:53:09 AEDT 
After upgrading some machines to openssh 3.1p1 recently, I noticed some odd
behavior when connecting to the 3.1p1 sshd. Specifically, if I used a kerberized
client ssh, and I have a kerberos v4 tgt, but *not* in the kerb realm of the
machine I'm ssh-ing to, the authorization should fail (since my .klogin doesn't
specifically allow this), and it does. Then sshd abruptly closes the connection.
No message (not even with the client in maximally verbose mode). When I try to
run sshd in debug mode without the daemon (-d -d -d -D) and reproduce this
problem, it is in fact segfaulting shortly after the point where the krb4 auth
is failing. Some gdb traces show that this segfault is happening in malloc().

The cause of this is a free() in the auth_krb4 function (in auth-krb4.c) of a
pointer, client_user, passed by reference (as *client) to that function. The
do_authloop function in auth1.c, which calls auth_krb4, expects that this
pointer is either valid or NULL on return, since it will free any non-NULL
pointer later in the loop. One solution, represented by the attached patch, is
to set the pointer to NULL after it is free'd; another solution is to not free
the client_user string at all and let do_authloop deal with it.
Comment 1 Rolf Braun 2002-03-18 11:55:12 AEDT 
Created attachment 46 [details]
patch to fix double free() when krb4 auth fails
Comment 2 Markus Friedl 2002-03-20 08:09:59 AEDT 
patch applied
Comment 3 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED