upstream: Plug mem leaks on error paths, based in part on github

pr#120 from David Carlier.  ok djm@.

OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e

diff --git a/auth-options.c b/auth-options.c
index 6fb59dc7e7636619989d68676e20b8eae62fe1c2..9550f656f4275d8140ea1aacafeea43ef1617c02 100644 (file)
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.88 2019/09/06 04:53:27 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */
 /*
  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
  *
@@ -266,6 +266,7 @@ handle_permit(const char **optsp, int allow_bare_port,
                 * listen_host wildcard.
                 */
                if (asprintf(&tmp, "*:%s", opt) == -1) {
+                       free(opt);
                        *errstrp = "memory allocation failed";
                        return -1;
                }

diff --git a/ssh_api.c b/ssh_api.c
index 6ea40b5e7a537dc09a65fa088f5161478d55290e..03dac0982c92eb71abcf9919b0afbdbf50a9696a 100644 (file)
--- a/ssh_api.c
+++ b/ssh_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh_api.c,v 1.17 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.18 2019/09/13 04:36:43 dtucker Exp $ */
 /*
  * Copyright (c) 2012 Markus Friedl.  All rights reserved.
  *
@@ -330,8 +330,8 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
        const char *mismatch = "Protocol mismatch.\r\n";
        const u_char *s = sshbuf_ptr(input);
        u_char c;
-       char *cp, *remote_version;
-       int r, remote_major, remote_minor, expect_nl;
+       char *cp = NULL, *remote_version = NULL;
+       int r = 0, remote_major, remote_minor, expect_nl;
        size_t n, j;
 
        for (j = n = 0;;) {
@@ -357,10 +357,8 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
                if (sshbuf_len(banner) >= 4 &&
                    memcmp(sshbuf_ptr(banner), "SSH-", 4) == 0)
                        break;
-               if ((cp = sshbuf_dup_string(banner)) == NULL)
-                       return SSH_ERR_ALLOC_FAIL;
-               debug("%s: %s", __func__, cp);
-               free(cp);
+               debug("%s: %.*s", __func__, (int)sshbuf_len(banner),
+                   sshbuf_ptr(banner));
                /* Accept lines before banner only on client */
                if (ssh->kex->server || ++n > SSH_MAX_PRE_BANNER_LINES) {
   bad:
@@ -373,19 +371,22 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
        if ((r = sshbuf_consume(input, j)) != 0)
                return r;
 
-       if ((cp = sshbuf_dup_string(banner)) == NULL)
-               return SSH_ERR_ALLOC_FAIL;
        /* XXX remote version must be the same size as banner for sscanf */
-       if ((remote_version = calloc(1, sshbuf_len(banner))) == NULL)
-               return SSH_ERR_ALLOC_FAIL;
+       if ((cp = sshbuf_dup_string(banner)) == NULL ||
+           (remote_version = calloc(1, sshbuf_len(banner))) == NULL) {
+               r = SSH_ERR_ALLOC_FAIL;
+               goto out;
+       }
 
        /*
         * Check that the versions match.  In future this might accept
         * several versions and set appropriate flags to handle them.
         */
        if (sscanf(cp, "SSH-%d.%d-%[^\n]\n",
-           &remote_major, &remote_minor, remote_version) != 3)
-               return SSH_ERR_INVALID_FORMAT;
+           &remote_major, &remote_minor, remote_version) != 3) {
+               r = SSH_ERR_INVALID_FORMAT;
+               goto out;
+       }
        debug("Remote protocol version %d.%d, remote software version %.100s",
            remote_major, remote_minor, remote_version);
 
@@ -395,10 +396,13 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
                remote_minor = 0;
        }
        if (remote_major != 2)
-               return SSH_ERR_PROTOCOL_MISMATCH;
+               r = SSH_ERR_PROTOCOL_MISMATCH;
+
        debug("Remote version string %.100s", cp);
+ out:
        free(cp);
-       return 0;
+       free(remote_version);
+       return r;
 }
 
 /* Send our own protocol version identification. */