>Number:         12669
>Category:       bin
>Synopsis:       openssh ssh-add double xfree()
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 15 11:42:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Wolfgang Rupprecht
>Release:        -current Sun Apr 15 11:32:41 PDT 2001
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Environment:
	
System: NetBSD pasillo.wsrcc.com 1.5T NetBSD 1.5T (WSRCC_INTEL) #9: Tue Mar 27 21:08:23 PST 2001 wolfgang@capsicum.wsrcc.com:/v/src/netbsd/src/sys/arch/i386/compile/WSRCC_INTEL i386
Architecture: i386
Machine: i386
>Description:
	
	I submittd a patch to openbsd/openssh that got pooched.
	The net effect is that a malloc-ed string may get freed twice.

	I don't think its exploitable, but ssh-add may drop core.  I don't 
	think this will expose any passwords, but it is still grotty.
	
>How-To-Repeat:
	
	examime the code around the patched section. (line 182)

	Note the bug is that "pass" in never set to NULL in their code
	so it can get freed again by clear_pass() the next time around
	(if the user keeps on typing passwords.)

>Fix:

Index: ssh-add.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/ssh/ssh-add.c,v
retrieving revision 1.8
diff -u -r1.8 ssh-add.c
--- ssh-add.c	2001/04/10 08:08:01	1.8
+++ ssh-add.c	2001/04/15 18:24:17
@@ -182,7 +182,7 @@
 				pass = ssh_askpass(askpass, msg);
 			}
 			if (strcmp(pass, "") == 0) {
-				xfree(pass);
+			        clear_pass();
 				xfree(comment);
 				return;
 			}
>Release-Note:
>Audit-Trail:
>Unformatted: