[Bug 304] New: ssh-keysign memory freeing bug

Thu Jun 27 08:18:25 EST 2002

http://bugzilla.mindrot.org/show_bug.cgi?id=304

           Summary: ssh-keysign memory freeing bug
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: openssh at sigint.cs.purdue.edu
                CC: openssh at sigint.cs.purdue.edu


The data received from ssh is freed before key_sign is run on it, which results
in a bogus signature, at least under Linux.  (Solaris and IRIX don't seem to
mind.)

--- ssh-keysign.c~      Wed Jun 26 17:01:42 2002
+++ ssh-keysign.c       Wed Jun 26 17:01:49 2002
@@ -192,7 +192,6 @@
        data = buffer_get_string(&b, &dlen);
        if (valid_request(pw, host, &key, data, dlen) < 0)
                fatal("not a valid request");
-       xfree(data);
        xfree(host);

        found = 0;
@@ -208,6 +207,7 @@

        if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
                fatal("key_sign failed");
+       xfree(data);

        /* send reply */
        buffer_clear(&b);



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

