openssh unix dev - Mar 2003 - resource leak in ssh1 challenge-response authentication

If an ssh1 client initiates challenge-response authentication but does
not submit a response to the challenge, and instead switches to some
other authentication method, verify_response() will never run, and the
kbdint device context will never be freed.  In some cases (such as
when the FreeBSD PAM authentication code is being used) this may cause
a resource leak leading to a denial of service.

The attached patch adds abandon_challenge_response() to auth-chall.c,
and code to auth1.c to call it if challenge-response authentication
was initiated but not completed.

DES
-- 
Dag-Erling Sm?rgrav - des at ofug.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sshd-auth-chall.diff
Type: text/x-patch
Size: 2030 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030331/688687f8/attachment.bin

On Mon, Mar 31, 2003 at 03:05:51PM +0200, Dag-Erling Sm?rgrav
wrote:
> If an ssh1 client initiates challenge-response authentication but does
> not submit a response to the challenge, and instead switches to some
> other authentication method, verify_response() will never run, and the
> kbdint device context will never be freed.  In some cases (such as
> when the FreeBSD PAM authentication code is being used) this may cause
> a resource leak leading to a denial of service.
> 
> The attached patch adds abandon_challenge_response() to auth-chall.c,
> and code to auth1.c to call it if challenge-response authentication
> was initiated but not completed.
ah, i see, someone is still using ssh1, good.

similar code should be in auth2_challenge_stop()...