Comment # 11 on bug 1180501 from Hans Petter Jansson

(In reply to Cristian Rodr������guez from comment #10)
> On sshd.c
> 
> 2042 -->ssh_packet_close(ssh); on line 2402 .. gabage because it has been
> messed up earlier by,,
> 
> 2383 ������������������������������������/* The connection has been terminated. */
> 2384 ������������������������������������packet_destroy_all(ssh, 1, 1);
> 2385 ������������������������������������destroy_sensitive_data(ssh, 1);
> 
> 
> where packet_destroy_all invokes packet_destroy_state which cipher_free's
> first ...
> 
> this is a bug in the audit patch. 
> 
> That's the anaylsis I could afford doing on my limited time to deal with
> this annoying crash.

Good analysis.

I think the reason it doesn't always show up is that cipher_free() clears the
struct with freezero(), and on the second call trying to free it again it will
bail out on the cc->cipher == NULL precondition. However, if the allocator
happens to reuse the memory range in between the two calls it will contain
something else resulting in a bad deref or double free.

The fix is to zero the pointers in packet_destroy_state() so they won't be
followed later.

I submitted rq#861491. I couldn't find any issues in my smoke test, but then I
wasn't seeing the crash before either.

Feel free to run your own tests with the origin project
(home:hpjansson:branches:network/openssh).