3 files changed, 22 insertions, 1 deletions

diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
index b9c2efd..1daa144 100644
--- a/crypto/openssh/auth-chall.c
+++ b/crypto/openssh/auth-chall.c
@@ -99,3 +99,11 @@ verify_response(Authctxt *authctxt, const char *response)
 	authctxt->kbdintctxt = NULL;
 	return res ? 0 : 1;
 }
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+	if (authctxt->kbdintctxt != NULL) {
+		device->free_ctx(authctxt->kbdintctxt);
+		authctxt->kbdintctxt = NULL;
+	}
+}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index 79ce420..4e19ee4 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -160,6 +160,7 @@ struct passwd * getpwnamallow(const char *user);
 
 char	*get_challenge(Authctxt *);
 int	verify_response(Authctxt *, const char *);
+void	abandon_challenge_response(Authctxt *);
 
 struct passwd * auth_get_user(void);
 
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index f88dcc9..a13f610 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -74,7 +74,7 @@ do_authloop(Authctxt *authctxt)
 	char info[1024];
 	u_int dlen;
 	u_int ulen;
-	int type = 0;
+	int prev, type = 0;
 	struct passwd *pw = authctxt->pw;
 
 	debug("Attempting authentication for %s%.100s.",
@@ -104,8 +104,20 @@ do_authloop(Authctxt *authctxt)
 		info[0] = '\0';
 
 		/* Get a packet from the client. */
+		prev = type;
 		type = packet_read();
 
+		/*
+		 * If we started challenge-response authentication but the
+		 * next packet is not a response to our challenge, release
+		 * the resources allocated by get_challenge() (which would
+		 * normally have been released by verify_response() had we
+		 * received such a response)
+		 */
+		if (prev == SSH_CMSG_AUTH_TIS &&
+		    type != SSH_CMSG_AUTH_TIS_RESPONSE)
+			abandon_challenge_response(authctxt);
+
 		/* Process the packet. */
 		switch (type) {