lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-30 13:01:23 +03:00
Code Activity

messages: Do not leak memory of previously allocated answers

Browse Source 
Found by ozz-fuzz

BUG: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1222

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Andreas Schneider
2017-04-25 16:20:06 +02:00
parent 5eb41492c4
commit 7c79b5c154
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/messages.c
View File

@@ -969,6 +969,15 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
goto error; goto error;
} }
} else if (session->kbdint->nanswers > 0) {
uint32_t n;
for (n = 0; n < session->kbdint->nanswers; n++) {
BURN_STRING(session->kbdint->answers[n]);
SAFE_FREE(session->kbdint->answers[n]);
}
SAFE_FREE(session->kbdint->answers);
session->kbdint->nanswers = 0;
} }
SSH_LOG(SSH_LOG_PACKET,"kbdint: %d answers",nanswers); SSH_LOG(SSH_LOG_PACKET,"kbdint: %d answers",nanswers);
@@ -989,7 +998,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
} }
session->kbdint->nanswers = nanswers; session->kbdint->nanswers = nanswers;
SAFE_FREE(session->kbdint->answers);
session->kbdint->answers = calloc(1, nanswers * sizeof(char *)); session->kbdint->answers = calloc(1, nanswers * sizeof(char *));
if (session->kbdint->answers == NULL) { if (session->kbdint->answers == NULL) {
session->kbdint->nanswers = 0; session->kbdint->nanswers = 0;
@@ -1010,7 +1018,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
goto error; goto error;
} }
SAFE_FREE(session->kbdint->answers[i]);
session->kbdint->answers[i] = ssh_string_to_char(tmp); session->kbdint->answers[i] = ssh_string_to_char(tmp);
ssh_string_free(tmp); ssh_string_free(tmp);
if (session->kbdint->answers[i] == NULL) { if (session->kbdint->answers[i] == NULL) {