diff options
author | Matt Johnston <matt@ucc.asn.au> | 2018-03-06 22:18:20 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2018-03-06 22:18:20 +0800 |
commit | 5b5788dff2d145d671740ef28b1a78df1e7e2e3a (patch) | |
tree | 63b3104efb3d382cc131c655fb6be858e4842874 | |
parent | 18ed413c685b55d8032a2a80a195e284b4e280a8 (diff) | |
download | dropbear-5b5788dff2d145d671740ef28b1a78df1e7e2e3a.tar.gz |
avoid leak of pubkey_options
-rw-r--r-- | fuzzer-pubkey.c | 8 | ||||
-rw-r--r-- | svr-authpubkey.c | 4 | ||||
-rw-r--r-- | svr-authpubkeyoptions.c | 1 |
3 files changed, 11 insertions, 2 deletions
diff --git a/fuzzer-pubkey.c b/fuzzer-pubkey.c index a062e1f..033f496 100644 --- a/fuzzer-pubkey.c +++ b/fuzzer-pubkey.c @@ -30,10 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (have_algo(algoname, algolen, sshhostkey) == DROPBEAR_FAILURE) { dropbear_exit("fuzzer imagined a bogus algorithm"); } - fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys", + + int ret = fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys", algoname, algolen, keyblob->data, keyblob->len); + if (ret == DROPBEAR_SUCCESS) { + /* fuzz_checkpubkey_line() should have cleaned up for failure */ + svr_pubkey_options_cleanup(); + } + buf_free(line); buf_free(keyblob); m_free(algoname); diff --git a/svr-authpubkey.c b/svr-authpubkey.c index 0ca0ea4..e97b158 100644 --- a/svr-authpubkey.c +++ b/svr-authpubkey.c @@ -167,6 +167,10 @@ out: sign_key_free(key); key = NULL; } + /* Retain pubkey options only if auth succeeded */ + if (!ses.authstate.authdone) { + svr_pubkey_options_cleanup(); + } TRACE(("leave pubkeyauth")) } diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c index 19f07b9..9498b64 100644 --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -113,7 +113,6 @@ void svr_pubkey_options_cleanup() { m_free(ses.authstate.pubkey_options->forced_command); } m_free(ses.authstate.pubkey_options); - ses.authstate.pubkey_options = NULL; } } |