In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then xfree() the client_user string. The call to do_pam_account() later in the function then tries to use this string, resulting in a corrupt remote user. Finally, before exiting, the function frees client_user again, resulting in a double free and much mess. Patch attached. Cheers, Simon. -- Simon Wilkinson <simon at sxw.org.uk> http://www.sxw.org.uk "Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx -------------- next part -------------- A non-text attachment was scrubbed... Name: clientuserfree.diff Type: text/x-c Size: 588 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011113/1fe68748/attachment.bin
On Tue, 13 Nov 2001, Simon Wilkinson wrote:> In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then > xfree() the client_user string. The call to do_pam_account() later in the > function then tries to use this string, resulting in a corrupt remote user. > > Finally, before exiting, the function frees client_user again, resulting in a > double free and much mess. > > Patch attached.Applied - thanks! Could you resend your krb5 patch to the list? Thanks, Damien Miller -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)