From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Sep 2025 12:51:01 +0000 (+0200)
Subject: libssh: return out of memory correctly if aprintf fails
X-Git-Tag: rc-8_17_0-1~313
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2d3b832445a05ed2e590fa5a40b0914f932bc42;p=thirdparty%2Fcurl.git

libssh: return out of memory correctly if aprintf fails

The code called set sshc->nextstate and returned SSH_OK without setting
sshc->actualcode to an error code.

Reported in Joshua's sarif data

Closes #18637
---

diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index 56f21d85e9..eacc27a921 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -765,7 +765,7 @@ static int myssh_in_SFTP_QUOTE_STATVFS(struct Curl_easy *data,
     #else
     #define CURL_LIBSSH_VFS_SIZE_MASK PRIu64
     #endif
-    CURLcode result;
+    CURLcode result = CURLE_OK;
     char *tmp = aprintf("statvfs:\n"
                         "f_bsize: %" CURL_LIBSSH_VFS_SIZE_MASK "\n"
                         "f_frsize: %" CURL_LIBSSH_VFS_SIZE_MASK "\n"
@@ -786,14 +786,13 @@ static int myssh_in_SFTP_QUOTE_STATVFS(struct Curl_easy *data,
                         statvfs->f_namemax);
     sftp_statvfs_free(statvfs);
 
-    if(!tmp) {
-      myssh_to(data, sshc, SSH_SFTP_CLOSE);
-      sshc->nextstate = SSH_NO_STATE;
-      return SSH_OK;
-    }
+    if(!tmp)
+      result = CURLE_OUT_OF_MEMORY;
 
-    result = Curl_client_write(data, CLIENTWRITE_HEADER, tmp, strlen(tmp));
-    free(tmp);
+    if(!result) {
+      result = Curl_client_write(data, CLIENTWRITE_HEADER, tmp, strlen(tmp));
+      free(tmp);
+    }
     if(result) {
       myssh_to(data, sshc, SSH_SFTP_CLOSE);
       sshc->nextstate = SSH_NO_STATE;