Bug 2175

Summary:

possible use after free

Product:

Portable OpenSSH

Reporter:

Loganaden Velvindron <loganaden>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm

Priority:

Version:

-current

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

2130

Attachments:

Description	Flags
use_after_free fix	none

Description Loganaden Velvindron 2013-12-01 04:09:51 AEDT

Created attachment 2377 [details]
use_after_free fix

blob() might be freed on subsequent loop iterations.

     if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) {
                buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER);
                buffer_put_int(&msg, nkeys);
                for (i = 0; i < nkeys; i++) {
                        key_to_blob(keys[i], &blob, &blen)
                        buffer_put_string(&msg, blob, blen);
                        buffer_put_cstring(&msg, name);
                        free(blob);
                        add_key(keys[i], name);

Comment 1 Damien Miller 2013-12-02 14:09:41 AEDT

applied - thanks.

Comment 2 Damien Miller 2015-08-11 23:04:38 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1