Kerberos / PAM bug in OpenSSH CVS
Simon Wilkinson
simon at sxw.org.uk
Tue Nov 13 11:15:39 EST 2001
In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then
xfree() the client_user string. The call to do_pam_account() later in the
function then tries to use this string, resulting in a corrupt remote user.
Finally, before exiting, the function frees client_user again, resulting in a
double free and much mess.
Patch attached.
Cheers,
Simon.
--
Simon Wilkinson <simon at sxw.org.uk> http://www.sxw.org.uk
"Outside of a dog, a book is a man's best friend. Inside of a dog, it's too
dark to read." - Groucho Marx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clientuserfree.diff
Type: text/x-c
Size: 588 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011113/1fe68748/attachment.bin
More information about the openssh-unix-dev
mailing list