1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
Description: Fix double free that could lead to denial of service or code execution (CVE-2012-4559)
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=1471f2c67a23602898e783c97b65aea9cc6356a4
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=6236001ff4f9017c9f842d6548baba9760c95f5c
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=46b2eb3c147a29478809f1ab95e924e1bb7e3768
--- a/libssh/agent.c
+++ b/libssh/agent.c
@@ -438,6 +438,7 @@ ssh_string agent_sign_data(struct ssh_se
}
string_free(blob);
+ blob = NULL;
reply = buffer_new();
if (reply == NULL) {
@@ -450,6 +451,7 @@ ssh_string agent_sign_data(struct ssh_se
return NULL;
}
buffer_free(request);
+ request = NULL;
/* check if reply is valid */
if (buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) {
--- a/libssh/channels.c
+++ b/libssh/channels.c
@@ -1057,6 +1057,7 @@ static int channel_request(ssh_channel c
buffer_add_u32(session->out_buffer, htonl(channel->remote_channel)) < 0 ||
buffer_add_ssh_string(session->out_buffer, req) < 0 ||
buffer_add_u8(session->out_buffer, reply == 0 ? 0 : 1) < 0) {
+ string_free(req);
goto error;
}
string_free(req);
@@ -1099,7 +1100,6 @@ static int channel_request(ssh_channel c
return rc;
error:
buffer_reinit(session->out_buffer);
- string_free(req);
leave_function();
return rc;
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -1178,8 +1178,8 @@ static char *sftp_parse_longname(const c
so that number of pairs equals extended_count */
static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
int expectname) {
- ssh_string longname = NULL;
- ssh_string name = NULL;
+ ssh_string longname;
+ ssh_string name;
sftp_attributes attr;
uint32_t flags = 0;
int ok = 0;
@@ -1194,19 +1194,27 @@ static sftp_attributes sftp_parse_attr_3
/* This isn't really a loop, but it is like a try..catch.. */
do {
if (expectname) {
- if ((name = buffer_get_ssh_string(buf)) == NULL ||
- (attr->name = string_to_char(name)) == NULL) {
- break;
+ name = buffer_get_ssh_string(buf);
+ if (name == NULL) {
+ break;
}
+ attr->name = string_to_char(name);
string_free(name);
+ if (attr->name == NULL) {
+ break;
+ }
ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name);
- if ((longname=buffer_get_ssh_string(buf)) == NULL ||
- (attr->longname=string_to_char(longname)) == NULL) {
- break;
+ longname = buffer_get_ssh_string(buf);
+ if (longname == NULL) {
+ break;
}
+ attr->longname = string_to_char(longname);
string_free(longname);
+ if (attr->longname == NULL) {
+ break;
+ }
/* Set owner and group if we talk to openssh and have the longname */
if (ssh_get_openssh_version(sftp->session)) {
@@ -1311,8 +1319,6 @@ static sftp_attributes sftp_parse_attr_3
if (!ok) {
/* break issued somewhere */
- string_free(name);
- string_free(longname);
string_free(attr->extended_type);
string_free(attr->extended_data);
SAFE_FREE(attr->name);
@@ -2250,6 +2256,7 @@ int sftp_mkdir(sftp_session sftp, const
sftp_packet_write(sftp, SSH_FXP_MKDIR, buffer) < 0) {
buffer_free(buffer);
string_free(path);
+ return -1;
}
buffer_free(buffer);
string_free(path);
|
