[Bug 2541] New: Add explicit_bzero() before free() in OpenSSH-7.1p2 for auth1.c/auth2.c/auth2-hostbased.c
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Feb 15 07:46:50 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2541
Bug ID: 2541
Summary: Add explicit_bzero() before free() in OpenSSH-7.1p2
for auth1.c/auth2.c/auth2-hostbased.c
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: wp02855 at gmail.com
Created attachment 2787
--> https://bugzilla.mindrot.org/attachment.cgi?id=2787&action=edit
Patch file for this bug report
Hello All,
In reviewing code in OpenSSH-7.1p2, there are some instances
where free()
is called in file 'auth1.c', in which the contents are not sanitized
before free() is called. The patch file below should address these
instances:
--- auth1.c.orig 2016-02-13 18:13:35.016278903 -0800
+++ auth1.c 2016-02-13 18:18:43.853530529 -0800
@@ -207,6 +207,7 @@
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
+ explicit_bzero(challenge, sizeof(*challenge));
free(challenge);
packet_send();
packet_write_wait();
@@ -356,6 +357,7 @@
/* Log before sending the reply */
auth_log(authctxt, authenticated, 0,
get_authname(type), NULL);
+ explicit_bzero(client_user, sizeof(*client_user));
free(client_user);
client_user = NULL;
=======================================================================
In the case of variable 'client_user', calling free() and setting the
static char pointer to NULL does not explicitly scrub any of the
contents
past the first character, does it not?
In reviewing code in openssh-7.1p2, there are some instances
where free()
is called in file 'auth2.c', in which the contents are not sanitized
before free() is called. The patch file below should address these
instances:
--- auth2.c.orig 2016-02-13 18:43:48.284735999 -0800
+++ auth2.c 2016-02-13 18:50:11.694465404 -0800
@@ -125,6 +125,7 @@
close(fd);
if (n != len) {
+ explicit_bzero(banner, sizeof(*banner));
free(banner);
return (NULL);
}
@@ -159,6 +160,7 @@
userauth_send_banner(banner);
done:
+ explicit_bzero(banner, sizeof(*banner));
free(banner);
}
@@ -204,6 +206,7 @@
debug("bad service request %s", service);
packet_disconnect("bad service request %s", service);
}
+ explicit_bzero(service, sizeof(*service))
free(service);
return 0;
}
@@ -282,8 +285,11 @@
}
userauth_finish(authctxt, authenticated, method, NULL);
+ explicit_bzero(service, sizeof(*service));
free(service);
+ explicit_bzero(user, sizeof(*user));
free(user);
+ explicit_bzero(method, sizeof(*method));
free(method);
return 0;
}
@@ -373,6 +379,7 @@
packet_put_char(partial);
packet_send();
packet_write_wait();
+ explicit_bzero(methods, sizeof(*methods));
free(methods);
}
}
@@ -491,6 +498,7 @@
}
ret = 0;
out:
+ explicit_bzero(omethods, sizeof(*omethods));
free(omethods);
return ret;
}
@@ -581,6 +589,7 @@
if (*p == ',')
p++;
*methods = xstrdup(p);
+ explicit_bzero(omethods, sizeof(*omethods));
free(omethods);
return 1;
}
=======================================================================
In reviewing code in openssh-7.1p2, there are some instances
where free()
is called in file 'auth2-hostbased.c', in which the contents are not
sanitized
before free() is called. The patch file below should address these
instances:
--- auth2-hostbased.c.orig 2016-02-13 19:00:19.828756146 -0800
+++ auth2-hostbased.c 2016-02-13 19:04:31.173700796 -0800
@@ -147,10 +147,15 @@
debug2("userauth_hostbased: authenticated %d", authenticated);
if (key != NULL)
key_free(key);
+ explicit_bzero(pkalg, sizeof(*pkalg));
free(pkalg);
+ explicit_bzero(pkblob, sizeof(*pkblob));
free(pkblob);
+ explicit_bzero(cuser, sizeof(*cuser));
free(cuser);
+ explicit_bzero(chost, sizeof(*chost));
free(chost);
+ explicit_bzero(sig, sizeof(*sig));
free(sig);
return authenticated;
}
@@ -237,6 +242,7 @@
verbose("Accepted %s public key %s from %s@%s",
key_type(key), fp, cuser, lookup);
}
+ explicit_bzero(fp, sizeof(*fp));
free(fp);
}
=======================================================================
I am attaching the patch file(s) to this bug report...
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list