CVS commit: src/crypto/external/bsd/openssh/dist

[S.P.Zeidler]

Module Name:    src
Committed By:   spz
Date:           Sun Dec 15 10:42:52 UTC 2013

Modified Files:
        src/crypto/external/bsd/openssh/dist: servconf.c

Log Message:
Coverity issues 996120 and 996121, Use after free

Use the M_CP_STROPT definition exclusive to servconf.c twice and
you have freed your original string.

servconf.h won copying authorized_keys_command and
authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107,
but servconf.c didn't drop its own, so it walks into this trap.
Remove the duplicate copies, and disarm the trap.

Note this is on a code path where authorized_keys_command and
authorized_keys_command_user don't actually get used except
for a debug dump of the config, and dump_cfg_string protects
itself against trying to print NULL pointers, so all
you get is sshd -T -C ... giving wrong results, which is rather
insignificant as far as security issues go.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/crypto/external/bsd/openssh/dist/servconf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/external/bsd/openssh/dist/servconf.c
diff -u src/crypto/external/bsd/openssh/dist/servconf.c:1.13 src/crypto/external/bsd/openssh/dist/servconf.c:1.14
--- src/crypto/external/bsd/openssh/dist/servconf.c:1.13	Fri Nov  8 19:18:25 2013
+++ src/crypto/external/bsd/openssh/dist/servconf.c	Sun Dec 15 10:42:52 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: servconf.c,v 1.13 2013/11/08 19:18:25 christos Exp $	*/
+/*	$NetBSD: servconf.c,v 1.14 2013/12/15 10:42:52 spz Exp $	*/
 /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: servconf.c,v 1.13 2013/11/08 19:18:25 christos Exp $");
+__RCSID("$NetBSD: servconf.c,v 1.14 2013/12/15 10:42:52 spz Exp $");
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/queue.h>
@@ -2012,7 +2012,7 @@ int server_match_spec_complete(struct co
 		dst->n = src->n; \
 } while (0)
 #define M_CP_STROPT(n) do {\
-	if (src->n != NULL) { \
+	if (src->n != NULL && dst->n != src->n) { \
 		free(dst->n); \
 		dst->n = src->n; \
 	} \
@@ -2043,8 +2043,6 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
 	M_CP_INTOPT(kbd_interactive_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
-	M_CP_STROPT(authorized_keys_command);
-	M_CP_STROPT(authorized_keys_command_user);
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);