From 8e4d67aa9eda455bfad9ac610e54b7a548d0aa08 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Aug 2025 11:10:38 +0200
Subject: [PATCH] CVE-2025-8277: ecdh: Free previously allocated pubkeys

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit c9d95ab0c7a52b231bcec09afbea71944ed0d852)
---
 src/ecdh_crypto.c | 1 +
 src/ecdh_gcrypt.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
index a286804f..fb707c32 100644
--- a/src/ecdh_crypto.c
+++ b/src/ecdh_crypto.c
@@ -230,6 +230,7 @@ int ssh_client_ecdh_init(ssh_session session)
         return SSH_ERROR;
     }
 
+    ssh_string_free(session->next_crypto->ecdh_client_pubkey);
     session->next_crypto->ecdh_client_pubkey = client_pubkey;
 
     /* register the packet callbacks */
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
index 8eabfe18..5dcd3929 100644
--- a/src/ecdh_gcrypt.c
+++ b/src/ecdh_gcrypt.c
@@ -106,9 +106,10 @@ int ssh_client_ecdh_init(ssh_session session)
         gcry_sexp_release(session->next_crypto->ecdh_privkey);
         session->next_crypto->ecdh_privkey = NULL;
     }
-
     session->next_crypto->ecdh_privkey = key;
     key = NULL;
+
+    SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey);
     session->next_crypto->ecdh_client_pubkey = client_pubkey;
     client_pubkey = NULL;