diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-11-16 07:10:29 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-11-16 07:18:29 +0100 |
| commit | 15182fd96845a03216d7ac5a2cf31c4e77e406e3 (patch) | |
| tree | 5ddf18f5eefed91be37b61c95381e3fb28476aff /sshbuf.c | |
| parent | upstream: use path_absolute() for pathname checks; from Manoj Ampalam (diff) | |
| download | openssh-15182fd96845a03216d7ac5a2cf31c4e77e406e3.tar.xz openssh-15182fd96845a03216d7ac5a2cf31c4e77e406e3.zip | |
upstream: make grandparent-parent-child sshbuf chains robust to
use-after-free faults if the ancestors are freed before the descendents.
Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn
OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2
Diffstat (limited to 'sshbuf.c')
| -rw-r--r-- | sshbuf.c | 17 |
1 files changed, 10 insertions, 7 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.12 2018/07/09 21:56:06 markus Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.13 2018/11/16 06:10:29 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -143,12 +143,7 @@ sshbuf_free(struct sshbuf *buf) */ if (sshbuf_check_sanity(buf) != 0) return; - /* - * If we are a child, the free our parent to decrement its reference - * count and possibly free it. - */ - sshbuf_free(buf->parent); - buf->parent = NULL; + /* * If we are a parent with still-extant children, then don't free just * yet. The last child's call to sshbuf_free should decrement our @@ -157,6 +152,14 @@ sshbuf_free(struct sshbuf *buf) buf->refcount--; if (buf->refcount > 0) return; + + /* + * If we are a child, the free our parent to decrement its reference + * count and possibly free it. + */ + sshbuf_free(buf->parent); + buf->parent = NULL; + if (!buf->readonly) { explicit_bzero(buf->d, buf->alloc); free(buf->d); |