2175 – possible use after free

Bug 2175 - possible use after free

Summary: possible use after free

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_6_5
	Show dependency tree / graph

Reported:	2013-12-01 04:09 AEDT by Loganaden Velvindron
Modified:	2015-08-11 23:04 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
use_after_free fix (1.08 KB, text/plain) 2013-12-01 04:09 AEDT, Loganaden Velvindron	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Loganaden Velvindron 2013-12-01 04:09:51 AEDT

Created attachment 2377 [details]
use_after_free fix

blob() might be freed on subsequent loop iterations.

     if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) {
                buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER);
                buffer_put_int(&msg, nkeys);
                for (i = 0; i < nkeys; i++) {
                        key_to_blob(keys[i], &blob, &blen)
                        buffer_put_string(&msg, blob, blen);
                        buffer_put_cstring(&msg, name);
                        free(blob);
                        add_key(keys[i], name);

Comment 1 Damien Miller 2013-12-02 14:09:41 AEDT

applied - thanks.

Comment 2 Damien Miller 2015-08-11 23:04:38 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1