dropbear

changeset 654:818108bf7749

- Fix use-after-free if multiple command requests were sent. Move the original_command into chansess struct since that makes more sense
author Matt Johnston <matt@ucc.asn.au>
date Sun, 04 Dec 2011 05:31:25 +0800
parents 5e8d84f3ee72
children 16af1decaf4c
files auth.h chansession.h svr-authpubkeyoptions.c svr-chansession.c
diffstat 4 files changed, 19 insertions(+), 11 deletions(-) [+]
line diff
     1.1 --- a/auth.h	Sun Dec 04 05:27:57 2011 +0800
     1.2 +++ b/auth.h	Sun Dec 04 05:31:25 2011 +0800
     1.3 @@ -133,7 +133,6 @@
     1.4  	int no_pty_flag;
     1.5  	/* "command=" option. */
     1.6  	unsigned char * forced_command;
     1.7 -	unsigned char * original_command;
     1.8  };
     1.9  #endif
    1.10  
     2.1 --- a/chansession.h	Sun Dec 04 05:27:57 2011 +0800
     2.2 +++ b/chansession.h	Sun Dec 04 05:31:25 2011 +0800
     2.3 @@ -69,6 +69,10 @@
     2.4  	char * agentfile;
     2.5  	char * agentdir;
     2.6  #endif
     2.7 +
     2.8 +#ifdef ENABLE_SVR_PUBKEY_OPTIONS
     2.9 +	char *original_command;
    2.10 +#endif
    2.11  };
    2.12  
    2.13  struct ChildPid {
     3.1 --- a/svr-authpubkeyoptions.c	Sun Dec 04 05:27:57 2011 +0800
     3.2 +++ b/svr-authpubkeyoptions.c	Sun Dec 04 05:31:25 2011 +0800
     3.3 @@ -92,14 +92,15 @@
     3.4   * by any 'command' public key option. */
     3.5  void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
     3.6  	if (ses.authstate.pubkey_options) {
     3.7 -		ses.authstate.pubkey_options->original_command = chansess->cmd;
     3.8 -		if (!chansess->cmd)
     3.9 -		{
    3.10 -			ses.authstate.pubkey_options->original_command = m_strdup("");
    3.11 +		if (chansess->cmd) {
    3.12 +			/* original_command takes ownership */
    3.13 +			chansess->original_command = chansess->cmd;
    3.14 +		} else {
    3.15 +			chansess->original_command = m_strdup("");
    3.16  		}
    3.17 -		chansess->cmd = ses.authstate.pubkey_options->forced_command;
    3.18 +		chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
    3.19  #ifdef LOG_COMMANDS
    3.20 -		dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
    3.21 +		dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
    3.22  #endif
    3.23  	}
    3.24  }
     4.1 --- a/svr-chansession.c	Sun Dec 04 05:27:57 2011 +0800
     4.2 +++ b/svr-chansession.c	Sun Dec 04 05:31:25 2011 +0800
     4.3 @@ -217,6 +217,8 @@
     4.4  
     4.5  	struct ChanSess *chansess;
     4.6  
     4.7 +	TRACE(("new chansess %p", channel))
     4.8 +
     4.9  	dropbear_assert(channel->typedata == NULL);
    4.10  
    4.11  	chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
    4.12 @@ -279,6 +281,10 @@
    4.13  	m_free(chansess->cmd);
    4.14  	m_free(chansess->term);
    4.15  
    4.16 +#ifdef ENABLE_SVR_PUBKEY_OPTIONS
    4.17 +	m_free(chansess->original_command);
    4.18 +#endif
    4.19 +
    4.20  	if (chansess->tty) {
    4.21  		/* write the utmp/wtmp login record */
    4.22  		li = chansess_login_alloc(chansess);
    4.23 @@ -924,10 +930,8 @@
    4.24  	}
    4.25  	
    4.26  #ifdef ENABLE_SVR_PUBKEY_OPTIONS
    4.27 -	if (ses.authstate.pubkey_options &&
    4.28 -			ses.authstate.pubkey_options->original_command) {
    4.29 -		addnewvar("SSH_ORIGINAL_COMMAND", 
    4.30 -			ses.authstate.pubkey_options->original_command);
    4.31 +	if (chansess->original_command) {
    4.32 +		addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
    4.33  	}
    4.34  #endif
    4.35