search for: key_free

key is freed outside of the if that checks if key is NULL therefore, NULL could be sent to the key_free function which will not handle it correctly. The fix is to move key_free to a place where you know key is not NULL. This patch moves the key_free call. This entire set of patches passed the regression tests on my system. Bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com...

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

...(off_t) 0, SEEK_SET); /* rewind */ if (pub == NULL) { /* closes fd */ - return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); + return key_load_private_pem(fd, KEY_UNSPEC, passphrase, + commentp); } else { /* it's a SSH v1 key if the public key part is readable */ key_free(pub);

...wever, I've run into a possible memory leak, and I'm not sure whether I need to write my own cleanup function for it or not. The xxx_kex global (defined in sshd.c) seems to not get freed. I've had difficulty finding a cleanup routine for it. I've been looking for anything similar to key_free() or buffer_free() that might work for the Kex struct, but have had no luck. Does anyone know if such a cleanup function exists? Or is this a known memory leak? Or am I just smoking crack? Any pointers are greatly appreciated! Regards, Dan Moulding Firmware Engineer Phone :801.887.9885 FAX :80...

...DHAVE_CONFIG_H -c ssh-keysign.c ssh-keysign.c: In function `valid_request': ssh-keysign.c:58: warning: `key' might be used uninitialized in this function Looking at the code, indeed, key is only initialized if pktype != KEY_UNSPEC, but if pktype == KEY_UNSPEC then fail will be non-zero and key_free() in the following code may fire depending on what happens to be on the stack, possibly causing a segfault: if (fail && key != NULL) key_free(key); else *ret = key; I suggest explicitly initializing key to NULL. ------- You are receiving...

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

Hello, I recently upgraded to openssh 6.6 version and I am finding public authentication doesn't seem to work. I see the openssh application exits with the error, fatal: key_free: bad key type 1515870810 After I created one more user, it throws the below error and exits. fatal: restore_uid: temporarily use_uid not effective I was able to successfully authenticate using 5.x openssh version. Kindly let me know, if this is a problem with 6.6 version? Regards Opensshuse...

https://bugzilla.mindrot.org/show_bug.cgi?id=2088 Bug ID: 2088 Summary: meoory leak in do_gen_krl() Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: FreeBSD Status: NEW Severity: minor Priority: P5 Component: ssh-keygen Assignee:

...sh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 400377a0 hint -1 debug2: input_userauth_pk_ok: fp 7a:44:be:6c:94:18:fb:0c:ff:e5:1a:9a:07:98:a5:27 debug3: sign_and_send_pubkey debug3: clear_auth_state: key_free 400377a0 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 Memory fault(coredump) # ssh -V OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f HP-UX 11.0 (March 2002 patches) Thank...

...stigation. This seems to be happening with any release of openssh since at least 2.5.2p1. 1) Problem #1: If SSH protocol 1 is enabled then sshd segfaults right off. This turns out to be because the call to arc4random_stir is corrupting memory and making sensitive_data.server_key non NULL. When key_free is then called on it's UNALLOCATED storage, you get a pretty seg fault. 2) Problem #3: snprintf doesn't like the %.100s specifier. For some reason 00s gets printed, and all the arguments get shifted. This breaks all sorts of things in all sorts of horrible ways. Some basic experimenta...

...'s GSS-API patches. Files modified: - key.h - added KEY_NAME key type - added KEY_NAME_PAT key type - added name, name_len and name_type fields to the Key struct - added prototype for key_match() - key.c - added initialization/finalization of new Key fields to key_new()/key_free() - added named/pattern key type support to a variety of functions, including key_read() and key_write(), among others - added key_match() implementation - auth-options.h - added void auth_set_key_env(Key *) prototype - auth-options.c - added auth_set_key_env() implementat...

...Y_NAME key type - added KEY_NAME_PAT key type - added name, name_len and name_type fields to the Key struct (I realize that the name_len field is useless, I may remove it) - added prototype for key_match() - key.c - added initialization/finalization of new Key fields to key_new()/key_free() - added named/pattern key type support to a variety of functions, including key_read() and key_write(), among others - added key_match() implementation - auth-options.h - added void auth_set_key_env(Key *) prototype - auth-options.c - added auth_set_key_env() implementat...

...36,17 @@ KEY_DSA, KEY_UNSPEC }; + +enum digest_type { + DIGEST_TYPE_SHA1, + DIGEST_TYPE_MD5 +}; + +enum digest_representation { + DIGEST_REPRESENTATION_HEX, + DIGEST_REPRESENTATION_BUBBLEBABBLE +}; + struct Key { int type; RSA *rsa; @@ -46,6 +57,7 @@ Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); +char *key_fingerprint_ex(Key *k, enum digest_type dgst_type, enum digest_representation dgst_representation); char *key_fingerprint(Key *k); char *key_type(Key *k); int key_write(Key *key, FILE *f); --- ./openssh-2.5.1/key_original.c Sun Mar 4 00:48:41...

...onverted from OpenSSH by %s@%s\"\n", key_size(k), key_type(k), pw->pw_name, hostname); dump_base64(stdout, blob, len); - fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); + fprintf(stdout, "%s\n", + private?SSH_COM_PRIVATE_END:SSH_COM_PUBLIC_END); key_free(k); xfree(blob); exit(0); @@ -216,7 +326,6 @@ u_char *sig, data[] = "abcde12345"; int magic, rlen, ktype, i1, i2, i3, i4; u_int slen; - u_long e; buffer_init(&b); buffer_append(&b, blob, blen); @@ -232,8 +341,7 @@ cipher = buffer_get_string(&b, NULL);...

..._MD5, SSH_FP_HEX)); + if (!key_to_blob(private, &blob, &len)) + fatal("key_to_blob: %s\n", filename); + + if (add_key("user", comment, blob, len, KEY_SPEC_USER_SESSION_KEYRING) < 0) + fatal("Failed to add key: %s\n", filename); + + xfree(comment); + key_free(private); + + ret = 0; + return ret; + } +#endif if (ssh_add_identity_constrained(ac, private, comment, lifetime, confirm)) { fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); @@ -216,6 +324,91 @@ int had_identities = 0; int version; +#ifdef HAVE_LIBKEY...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

...onnect2.c 30 Dec 2011 09:27:33 -0000 >@@ -1323,8 +1323,11 @@ load_identity_file(char *filename) > return NULL; > } > private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); >- if (!perm_ok) >+ if (!perm_ok) { >+ if (private != NULL) >+ key_free(private); This code has been refactored and the leak eliminated. >@@ -1892,9 +1895,9 @@ authmethod_get(char *authlist) > xfree(name); > return current; > } >+ if (name != NULL) >+ xfree(name); This is already there. -- You are receiving this mail because: You are w...

...RSA_free(public_key); + if (sensitive_data.private_key != NULL) + RSA_free(sensitive_data.private_key); + if (sensitive_data.host_key != NULL) + RSA_free(sensitive_data.host_key); if (sensitive_data.dsa_host_key != NULL) key_free(sensitive_data.dsa_host_key); } The machine is an i686 using standard RedHat 6.2. It appears that the ssh binaries are doing some form of delayed linking that is allowing the program to run without all the functions defined. It appears that as long as no RSA_xxx calls are made the ssh server wo...

...if (id != NULL && ((!confirm && !id->confirm) || confirm_key(id) == 0)) + if (id != NULL && (!id->confirm || confirm_key(id) == 0)) ok = key_sign(id->key, &signature, &slen, data, dlen); } key_free(key); @@ -1029,7 +1026,7 @@ init_rng(); seed_rng(); - while ((ch = getopt(ac, av, "Ccdksa:t:")) != -1) { + while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { switch (ch) { case 'c':...

...============================= RCS file: /usr/cvs/src/src/usr.bin/ssh/authfile.c,v retrieving revision 1.86 diff -u -p -r1.86 authfile.c --- authfile.c 21 Nov 2010 10:57:07 -0000 1.86 +++ authfile.c 27 Nov 2010 13:28:27 -0000 @@ -695,7 +695,7 @@ key_load_private(const char *filename, c } else { key_free(pub); prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase, - commentp); + NULL); } buffer_free(&buffer); return prv;