Bug 304

Summary: ssh-keysign memory freeing bug
Product: Portable OpenSSH Reporter: openssh <openssh>
Component: MiscellaneousAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: major CC: openssh
Priority: P2    
Version: -current   
Hardware: All   
OS: All   

Description openssh@sigint.cs.purdue.edu 2002-06-27 08:18:23 AEST 
The data received from ssh is freed before key_sign is run on it, which results
in a bogus signature, at least under Linux.  (Solaris and IRIX don't seem to
mind.)

--- ssh-keysign.c~      Wed Jun 26 17:01:42 2002
+++ ssh-keysign.c       Wed Jun 26 17:01:49 2002
@@ -192,7 +192,6 @@
        data = buffer_get_string(&b, &dlen);
        if (valid_request(pw, host, &key, data, dlen) < 0)
                fatal("not a valid request");
-       xfree(data);
        xfree(host);

        found = 0;
@@ -208,6 +207,7 @@

        if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
                fatal("key_sign failed");
+       xfree(data);

        /* send reply */
        buffer_clear(&b);
Comment 1 Markus Friedl 2002-06-27 08:31:31 AEST 
thanks, patch applied (post 3.4)
Comment 2 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED