Bug 2175 - possible use after free
Summary: possible use after free
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: All All
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_5
  Show dependency treegraph
 
Reported: 2013-12-01 04:09 AEDT by Loganaden Velvindron
Modified: 2015-08-11 23:04 AEST (History)
1 user (show)

See Also:


Attachments
use_after_free fix (1.08 KB, text/plain)
2013-12-01 04:09 AEDT, Loganaden Velvindron
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Loganaden Velvindron 2013-12-01 04:09:51 AEDT
Created attachment 2377 [details]
use_after_free fix

blob() might be freed on subsequent loop iterations.

     if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) {
                buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER);
                buffer_put_int(&msg, nkeys);
                for (i = 0; i < nkeys; i++) {
                        key_to_blob(keys[i], &blob, &blen)
                        buffer_put_string(&msg, blob, blen);
                        buffer_put_cstring(&msg, name);
                        free(blob);
                        add_key(keys[i], name);
Comment 1 Damien Miller 2013-12-02 14:09:41 AEDT
applied - thanks.
Comment 2 Damien Miller 2015-08-11 23:04:38 AEST
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1