From 6c392befcc1b90e045256a33cfd9b61f65beabc2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Mon, 28 Oct 2019 12:00:07 +0100
Subject: [PATCH] SSH-01-007: Fix possible double free of ssh strings

Fixes T183

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit 032f25aab31549284d1d96e7fbda24d320af3063)
---
 src/pki_gcrypt.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 6e00194a..276d2eb8 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1573,7 +1573,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
     }
 
     rc = ssh_buffer_add_ssh_string(buffer, type_s);
-    ssh_string_free(type_s);
+    SSH_STRING_FREE(type_s);
     if (rc < 0) {
         ssh_buffer_free(buffer);
         return NULL;
@@ -1631,13 +1631,13 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
             }
 
             ssh_string_burn(p);
-            ssh_string_free(p);
+            SSH_STRING_FREE(p);
             ssh_string_burn(g);
-            ssh_string_free(g);
+            SSH_STRING_FREE(g);
             ssh_string_burn(q);
-            ssh_string_free(q);
+            SSH_STRING_FREE(q);
             ssh_string_burn(n);
-            ssh_string_free(n);
+            SSH_STRING_FREE(n);
 
             break;
         case SSH_KEYTYPE_RSA:
@@ -1667,9 +1667,9 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
             }
 
             ssh_string_burn(e);
-            ssh_string_free(e);
+            SSH_STRING_FREE(e);
             ssh_string_burn(n);
-            ssh_string_free(n);
+            SSH_STRING_FREE(n);
 
             break;
         case SSH_KEYTYPE_ED25519:
@@ -1690,7 +1690,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
             }
 
             rc = ssh_buffer_add_ssh_string(buffer, type_s);
-            ssh_string_free(type_s);
+            SSH_STRING_FREE(type_s);
             if (rc < 0) {
                 ssh_buffer_free(buffer);
                 return NULL;
@@ -1709,7 +1709,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
             }
 
             ssh_string_burn(e);
-            ssh_string_free(e);
+            SSH_STRING_FREE(e);
             e = NULL;
             break;
 #endif
@@ -1735,17 +1735,17 @@ makestring:
 fail:
     ssh_buffer_free(buffer);
     ssh_string_burn(str);
-    ssh_string_free(str);
+    SSH_STRING_FREE(str);
     ssh_string_burn(e);
-    ssh_string_free(e);
+    SSH_STRING_FREE(e);
     ssh_string_burn(p);
-    ssh_string_free(p);
+    SSH_STRING_FREE(p);
     ssh_string_burn(g);
-    ssh_string_free(g);
+    SSH_STRING_FREE(g);
     ssh_string_burn(q);
-    ssh_string_free(q);
+    SSH_STRING_FREE(q);
     ssh_string_burn(n);
-    ssh_string_free(n);
+    SSH_STRING_FREE(n);
 
     return NULL;
 }