nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-04-19 12:08:05 -05:00
Code Issues Projects Releases Wiki Activity

ssh1login: fix memory management when using the agent.

Browse Source 
We were retaining a ptrlen 's->comment' into a past agent response
message, but that had been freed by the time it was actually printed
in a diagnostic. Also, agent_response_to_free was being freed twice,
because the variable 'ret' in the response-formatting code aliased it.
This commit is contained in:
Simon Tatham 2019-01-20 16:42:58 +00:00
parent 0d2d20aad0
commit 836a75ba69
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ssh1login.c
View File

@ -51,7 +51,7 @@ struct ssh1_login_state {
bool authed; bool authed;
RSAKey key; RSAKey key;
mp_int *challenge; mp_int *challenge;
ptrlen comment; strbuf *agent_comment;
int dlgret; int dlgret;
Filename *keyfile; Filename *keyfile;
RSAKey servkey, hostkey; RSAKey servkey, hostkey;
@ -95,6 +95,7 @@ PacketProtocolLayer *ssh1_login_new(
s->savedhost = dupstr(host); s->savedhost = dupstr(host);
s->savedport = port; s->savedport = port;
s->successor_layer = successor_layer; s->successor_layer = successor_layer;
s->agent_comment = strbuf_new();
return &s->ppl; return &s->ppl;
} }
@ -113,6 +114,7 @@ static void ssh1_login_free(PacketProtocolLayer *ppl)
if (s->publickey_blob) if (s->publickey_blob)
strbuf_free(s->publickey_blob); strbuf_free(s->publickey_blob);
sfree(s->publickey_comment); sfree(s->publickey_comment);
strbuf_free(s->agent_comment);
if (s->cur_prompt) if (s->cur_prompt)
free_prompts(s->cur_prompt); free_prompts(s->cur_prompt);
sfree(s->agent_response_to_free); sfree(s->agent_response_to_free);
@ -507,7 +509,8 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
get_rsa_ssh1_pub(s->asrc, &s->key, get_rsa_ssh1_pub(s->asrc, &s->key,
RSA_SSH1_EXPONENT_FIRST); RSA_SSH1_EXPONENT_FIRST);
end = s->asrc->pos; end = s->asrc->pos;
s->comment = get_string(s->asrc); s->agent_comment->len = 0;
put_datapl(s->agent_comment, get_string(s->asrc));
if (get_err(s->asrc)) { if (get_err(s->asrc)) {
ppl_logevent("Pageant key list packet was truncated"); ppl_logevent("Pageant key list packet was truncated");
break; break;
@ -570,7 +573,6 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
s->ppl.bpp, SSH1_CMSG_AUTH_RSA_RESPONSE); s->ppl.bpp, SSH1_CMSG_AUTH_RSA_RESPONSE);
put_data(pkt, ret + 5, 16); put_data(pkt, ret + 5, 16);
pq_push(s->ppl.out_pq, pkt); pq_push(s->ppl.out_pq, pkt);
sfree((char *)ret);
crMaybeWaitUntilV( crMaybeWaitUntilV(
(pktin = ssh1_login_pop(s)) (pktin = ssh1_login_pop(s))
!= NULL); != NULL);
@ -578,10 +580,12 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
ppl_logevent("Pageant's response " ppl_logevent("Pageant's response "
"accepted"); "accepted");
if (flags & FLAG_VERBOSE) { if (flags & FLAG_VERBOSE) {
ptrlen comment = ptrlen_from_strbuf(
s->agent_comment);
ppl_printf("Authenticated using RSA " ppl_printf("Authenticated using RSA "
"key \"%.*s\" from " "key \"%.*s\" from "
"agent\r\n", PTRLEN_PRINTF( "agent\r\n",
s->comment)); PTRLEN_PRINTF(comment));
} }
s->authed = true; s->authed = true;
} else } else