sftpserver: Fix memory leak of h->name in process_opendir error path

When sftp_handle_alloc() fails in process_opendir(), the error path
frees the handle struct h but does not free h->name which was
allocated by strdup(). This causes a memory leak every time the
server runs out of available SFTP handles while processing an
opendir request.

Also add a missing NULL check for the strdup() call itself to
handle out-of-memory conditions gracefully.

This is the same class of bug that was fixed in process_open() by
commit db7f101d (CVE-2025-5449), but was missed in process_opendir().

Signed-off-by: Mingyuan Li <2560359315@qq.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

src/sftpserver.c

@@ -1343,6 +1343,15 @@ process_opendir(sftp_client_message client_msg)
     }
     h->dirp = dir;
     h->name = strdup(dir_name);
+    if (h->name == NULL) {
+        free(h);
+        closedir(dir);
+        SSH_LOG(SSH_LOG_PROTOCOL, "failed to duplicate directory name");
+        sftp_reply_status(client_msg,
+                          SSH_FX_FAILURE,
+                          "Failed to allocate new handle");
+        return SSH_ERROR;
+    }
     h->type = SFTP_DIR_HANDLE;
     handle_s = sftp_handle_alloc(client_msg->sftp, h);
 
@@ -1350,6 +1359,7 @@ process_opendir(sftp_client_message client_msg)
         sftp_reply_handle(client_msg, handle_s);
         ssh_string_free(handle_s);
     } else {
+        SAFE_FREE(h->name);
         free(h);
         closedir(dir);
         sftp_reply_status(client_msg, SSH_FX_FAILURE, "No handle available");