diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2018-03-06 22:18:20 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2018-03-06 22:18:20 +0800 |
| commit | e9edbe8bb204b00c7f4b4fda7eeee9d0177934ae (patch) | |
| tree | 68c30f5a071a73dcd421ee932e46b8602c6221c0 | |
| parent | 4fd3160179620e26e90b38ec9b093aa893cd0911 (diff) | |
avoid leak of pubkey_options
| -rw-r--r-- | fuzzer-pubkey.c | 8 | ||||
| -rw-r--r-- | svr-authpubkey.c | 4 | ||||
| -rw-r--r-- | svr-authpubkeyoptions.c | 1 |
3 files changed, 11 insertions, 2 deletions
diff --git a/fuzzer-pubkey.c b/fuzzer-pubkey.c index a062e1f..033f496 100644 --- a/fuzzer-pubkey.c +++ b/fuzzer-pubkey.c @@ -30,10 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (have_algo(algoname, algolen, sshhostkey) == DROPBEAR_FAILURE) { dropbear_exit("fuzzer imagined a bogus algorithm"); } - fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys", + + int ret = fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys", algoname, algolen, keyblob->data, keyblob->len); + if (ret == DROPBEAR_SUCCESS) { + /* fuzz_checkpubkey_line() should have cleaned up for failure */ + svr_pubkey_options_cleanup(); + } + buf_free(line); buf_free(keyblob); m_free(algoname); diff --git a/svr-authpubkey.c b/svr-authpubkey.c index 0ca0ea4..e97b158 100644 --- a/svr-authpubkey.c +++ b/svr-authpubkey.c @@ -167,6 +167,10 @@ out: sign_key_free(key); key = NULL; } + /* Retain pubkey options only if auth succeeded */ + if (!ses.authstate.authdone) { + svr_pubkey_options_cleanup(); + } TRACE(("leave pubkeyauth")) } diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c index 19f07b9..9498b64 100644 --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -113,7 +113,6 @@ void svr_pubkey_options_cleanup() { m_free(ses.authstate.pubkey_options->forced_command); } m_free(ses.authstate.pubkey_options); - ses.authstate.pubkey_options = NULL; } } |