[Bug 170] New: Double free() and heap corruption when krb4 auth fails

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=170

           Summary: Double free() and heap corruption when krb4 auth fails
           Product: Portable OpenSSH
           Version: 3.1p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: rbraun+ssh at andrew.cmu.edu


After upgrading some machines to openssh 3.1p1 recently, I noticed some odd
behavior when connecting to the 3.1p1 sshd. Specifically, if I used a kerberized
client ssh, and I have a kerberos v4 tgt, but *not* in the kerb realm of the
machine I'm ssh-ing to, the authorization should fail (since my .klogin doesn't
specifically allow this), and it does. Then sshd abruptly closes the connection.
No message (not even with the client in maximally verbose mode). When I try to
run sshd in debug mode without the daemon (-d -d -d -D) and reproduce this
problem, it is in fact segfaulting shortly after the point where the krb4 auth
is failing. Some gdb traces show that this segfault is happening in malloc().

The cause of this is a free() in the auth_krb4 function (in auth-krb4.c) of a
pointer, client_user, passed by reference (as *client) to that function. The
do_authloop function in auth1.c, which calls auth_krb4, expects that this
pointer is either valid or NULL on return, since it will free any non-NULL
pointer later in the loop. One solution, represented by the attached patch, is
to set the pointer to NULL after it is free'd; another solution is to not free
the client_user string at all and let do_authloop deal with it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.