Date: Mon, 13 Mar 2000 13:56:43 -0500 (EST) From: ajk@iu.edu To: FreeBSD-gnats-submit@freebsd.org Subject: bin/17360: [PATCH] Cleanup bug in pam_ssh Message-ID: <200003131856.NAA02840@ajk-5.waterspout.com>
next in thread | raw e-mail | index | archive | help
>Number: 17360
>Category: bin
>Synopsis: [PATCH] Cleanup bug in pam_ssh
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 13 11:00:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Andrew J. Korty
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
IT Security Office, Indiana University
>Environment:
FreeBSD ajk-5.waterspout.com 4.0-CURRENT FreeBSD 4.0-CURRENT #5:
Sat Mar 11 13:28:16 EST 2000
ajk@kujan.uits.iupui.edu:/usr/src/sys/compile/KUJAN i386
>Description:
[Sorry to submit this right after the tag went down, but I just
noticed it.]
Since pam_ssh is unable to use the libc environment calls (long
story), it uses a linked list to manage the environment on its own.
The list was not getting freed properly, which could cause a memory
leak in PAM applications that use this module.
This patch also ensures strict modes on the file containing ssh-agent
environment strings created in the user's ~/.ssh directory.
>How-To-Repeat:
Look at the env_destroy() function and see how it can't possibly
work. :-)
>Fix:
Apply this patch against src/crypto/openssh/pam_ssh/pam_ssh.c.
Index: pam_ssh.c
===================================================================
RCS file: /var/cvs/src/crypto/openssh/pam_ssh/pam_ssh.c,v
retrieving revision 1.3
diff -U2 -r1.3 pam_ssh.c
--- pam_ssh.c 2000/02/26 09:59:14 1.3
+++ pam_ssh.c 2000/03/13 18:36:44
@@ -1,4 +1,4 @@
/*-
- * Copyright (c) 1999 Andrew J. Korty
+ * Copyright (c) 1999, 2000 Andrew J. Korty
* All rights reserved.
*
@@ -31,4 +31,5 @@
#include <sys/param.h>
#include <sys/queue.h>
+#include <sys/stat.h>
#include <fcntl.h>
@@ -121,5 +122,5 @@
static int
-env_put(ENV *self, char *s)
+env_put(ENV *self, const char *s)
{
struct env_entry *env;
@@ -137,5 +138,5 @@
static void
-env_swap(ENV *self, int which)
+env_swap(const ENV *self, int which)
{
environ = which ? self->e_environ_new : self->e_environ_orig;
@@ -174,7 +175,8 @@
env_swap(self, 0);
- SLIST_FOREACH(p, &self->e_head, ee_entries) {
+ while ((p = SLIST_FIRST(&self->e_head))) {
free(p->ee_env);
free(p);
+ SLIST_REMOVE_HEAD(&self->e_head, ee_entries);
}
if (self->e_committed)
@@ -366,5 +368,6 @@
saved_uid = geteuid();
(void)seteuid(pwent->pw_uid);
- env_fp = fopen(env_file, "w");
+ if ((env_fp = fopen(env_file, "w")))
+ (void)chmod(env_file, S_IRUSR);
pipe = popen(PATH_SSH_AGENT, "r");
(void)seteuid(saved_uid);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003131856.NAA02840>