summaryrefslogtreecommitdiffstats
path: root/package/dropbear/patches/400-CVE-2012-0920.patch
blob: 164909f561b7fcd21edb236bc1a02e574550e7fd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1322947885 -28800
# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
# Parent  5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
- Fix use-after-free if multiple command requests were sent. Move
the original_command into chansess struct since that makes more sense

--- a/auth.h
+++ b/auth.h
@@ -133,7 +133,6 @@ struct PubKeyOptions {
 	int no_pty_flag;
 	/* "command=" option. */
 	unsigned char * forced_command;
-	unsigned char * original_command;
 };
 #endif
 
--- a/chansession.h
+++ b/chansession.h
@@ -69,6 +69,10 @@ struct ChanSess {
 	char * agentfile;
 	char * agentdir;
 #endif
+
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+	char *original_command;
+#endif
 };
 
 struct ChildPid {
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() {
  * by any 'command' public key option. */
 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
 	if (ses.authstate.pubkey_options) {
-		ses.authstate.pubkey_options->original_command = chansess->cmd;
-		if (!chansess->cmd)
-		{
-			ses.authstate.pubkey_options->original_command = m_strdup("");
+		if (chansess->cmd) {
+			/* original_command takes ownership */
+			chansess->original_command = chansess->cmd;
+		} else {
+			chansess->original_command = m_strdup("");
 		}
-		chansess->cmd = ses.authstate.pubkey_options->forced_command;
+		chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
 #ifdef LOG_COMMANDS
-		dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
+		dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
 #endif
 	}
 }
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -217,6 +217,8 @@ static int newchansess(struct Channel *c
 
 	struct ChanSess *chansess;
 
+	TRACE(("new chansess %p", channel))
+
 	dropbear_assert(channel->typedata == NULL);
 
 	chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
@@ -279,6 +281,10 @@ static void closechansess(struct Channel
 	m_free(chansess->cmd);
 	m_free(chansess->term);
 
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+	m_free(chansess->original_command);
+#endif
+
 	if (chansess->tty) {
 		/* write the utmp/wtmp login record */
 		li = chansess_login_alloc(chansess);
@@ -924,10 +930,8 @@ static void execchild(void *user_data) {
 	}
 	
 #ifdef ENABLE_SVR_PUBKEY_OPTIONS
-	if (ses.authstate.pubkey_options &&
-			ses.authstate.pubkey_options->original_command) {
-		addnewvar("SSH_ORIGINAL_COMMAND", 
-			ses.authstate.pubkey_options->original_command);
+	if (chansess->original_command) {
+		addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
 	}
 #endif