shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 20:30:38 +09:00
Code Issues Packages Projects Releases Wiki Activity

messages: Do not leak memory of previously allocated answers

Browse Source 
Found by ozz-fuzz

BUG: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1222

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 7c79b5c154)
This commit is contained in:
Andreas Schneider
2017-04-25 16:20:06 +02:00
parent d88cc720fb
commit 239d0f75b5
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/messages.c
View File

@@ -923,6 +923,15 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
goto error;
}
} else if (session->kbdint->nanswers > 0) {
uint32_t n;
for (n = 0; n < session->kbdint->nanswers; n++) {
BURN_STRING(session->kbdint->answers[n]);
SAFE_FREE(session->kbdint->answers[n]);
}
SAFE_FREE(session->kbdint->answers);
session->kbdint->nanswers = 0;
}
SSH_LOG(SSH_LOG_PACKET,"kbdint: %d answers",nanswers);
@@ -943,7 +952,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
}
session->kbdint->nanswers = nanswers;
SAFE_FREE(session->kbdint->answers);
session->kbdint->answers = calloc(1, nanswers * sizeof(char *));
if (session->kbdint->answers == NULL) {
session->kbdint->nanswers = 0;
@@ -964,7 +972,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
goto error;
}
SAFE_FREE(session->kbdint->answers[i]);
session->kbdint->answers[i] = ssh_string_to_char(tmp);
ssh_string_free(tmp);
if (session->kbdint->answers[i] == NULL) {