From 0d9b2c68ccf030fb6590b7af99bd04a73cc44d56 Mon Sep 17 00:00:00 2001 From: Mingyuan Li <2560359315@qq.com> Date: Mon, 23 Feb 2026 23:31:34 +0800 Subject: [PATCH] sftpserver: Fix memory leak of h->name in process_opendir error path When sftp_handle_alloc() fails in process_opendir(), the error path frees the handle struct h but does not free h->name which was allocated by strdup(). This causes a memory leak every time the server runs out of available SFTP handles while processing an opendir request. Also add a missing NULL check for the strdup() call itself to handle out-of-memory conditions gracefully. This is the same class of bug that was fixed in process_open() by commit db7f101d (CVE-2025-5449), but was missed in process_opendir(). Signed-off-by: Mingyuan Li <2560359315@qq.com> Reviewed-by: Jakub Jelen --- src/sftpserver.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/sftpserver.c b/src/sftpserver.c index 987d52a8..30af0cda 100644 --- a/src/sftpserver.c +++ b/src/sftpserver.c @@ -1343,6 +1343,15 @@ process_opendir(sftp_client_message client_msg) } h->dirp = dir; h->name = strdup(dir_name); + if (h->name == NULL) { + free(h); + closedir(dir); + SSH_LOG(SSH_LOG_PROTOCOL, "failed to duplicate directory name"); + sftp_reply_status(client_msg, + SSH_FX_FAILURE, + "Failed to allocate new handle"); + return SSH_ERROR; + } h->type = SFTP_DIR_HANDLE; handle_s = sftp_handle_alloc(client_msg->sftp, h); @@ -1350,6 +1359,7 @@ process_opendir(sftp_client_message client_msg) sftp_reply_handle(client_msg, handle_s); ssh_string_free(handle_s); } else { + SAFE_FREE(h->name); free(h); closedir(dir); sftp_reply_status(client_msg, SSH_FX_FAILURE, "No handle available");