bugzilla-daemon at mindrot.org
2002-Jun-26 22:18 UTC
[Bug 304] New: ssh-keysign memory freeing bug
http://bugzilla.mindrot.org/show_bug.cgi?id=304 Summary: ssh-keysign memory freeing bug Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: openssh at sigint.cs.purdue.edu CC: openssh at sigint.cs.purdue.edu The data received from ssh is freed before key_sign is run on it, which results in a bogus signature, at least under Linux. (Solaris and IRIX don't seem to mind.) --- ssh-keysign.c~ Wed Jun 26 17:01:42 2002 +++ ssh-keysign.c Wed Jun 26 17:01:49 2002 @@ -192,7 +192,6 @@ data = buffer_get_string(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); - xfree(data); xfree(host); found = 0; @@ -208,6 +207,7 @@ if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) fatal("key_sign failed"); + xfree(data); /* send reply */ buffer_clear(&b); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.