From: semarie@openbsd.org <semarie@openbsd.org>
Date: Fri, 26 Jun 2020 11:26:01 +0000 (+0000)
Subject: upstream: backout 1.293 fix kex mem-leak in ssh_packet_close at markus
X-Git-Tag: V_8_4_P1~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14beca57ac92d62830c42444c26ba861812dc837;p=thirdparty%2Fopenssh-portable.git

upstream: backout 1.293 fix kex mem-leak in ssh_packet_close at markus

request

the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after
calling ssh_packet_clear_keys())

OpenBSD-Commit-ID: 9c9a6721411461b0b1c28dc00930d7251a798484
---

diff --git a/packet.c b/packet.c
index 4780356f2..9ffd9f59b 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.293 2020/06/24 15:12:09 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.294 2020/06/26 11:26:01 semarie Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -616,8 +616,6 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
 		state->newkeys[mode] = NULL;
 		ssh_clear_newkeys(ssh, mode);		/* next keys */
 	}
-	kex_free(ssh->kex);
-	ssh->kex = NULL;
 #ifdef WITH_ZLIB
 	/* compression state is in shared mem, so we can only release it once */
 	if (do_close && state->compression_buffer) {