summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-07-06 13:44:43 +1000
committerDamien Miller <djm@mindrot.org>2012-07-06 13:44:43 +1000
commitab523b02467f36a2f85c1a8bff6cf2fd4297fb12 (patch)
treee8944e6d41815baeb1502138a38723fcbda36870
parentdfceafe8b11a4a1f9890a37e0cd88b01eb9cc30c (diff)
- djm@cvs.openbsd.org 2012/07/06 01:37:21
[mux.c] fix memory leak of passed-in environment variables and connection context when new session message is malformed; bz#2003 from Bert.Wesarg AT googlemail.com
-rw-r--r--ChangeLog5
-rw-r--r--mux.c12
2 files changed, 14 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 0d876d2a..68811e63 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,11 @@
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
+ - djm@cvs.openbsd.org 2012/07/06 01:37:21
+ [mux.c]
+ fix memory leak of passed-in environment variables and connection
+ context when new session message is malformed; bz#2003 from Bert.Wesarg
+ AT googlemail.com
20120704
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
diff --git a/mux.c b/mux.c
index 3dd5e262..5e0e65ff 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@@ -316,6 +316,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
cctx->term = NULL;
cctx->rid = rid;
cmd = reserved = NULL;
+ cctx->env = NULL;
+ env_len = 0;
if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&cctx->want_tty, m) != 0 ||
buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 ||
@@ -329,16 +331,19 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
xfree(cmd);
if (reserved != NULL)
xfree(reserved);
+ for (j = 0; j < env_len; j++)
+ xfree(cctx->env[j]);
+ if (env_len > 0)
+ xfree(cctx->env);
if (cctx->term != NULL)
xfree(cctx->term);
+ xfree(cctx);
error("%s: malformed message", __func__);
return -1;
}
xfree(reserved);
reserved = NULL;
- cctx->env = NULL;
- env_len = 0;
while (buffer_len(m) > 0) {
#define MUX_MAX_ENV_VARS 4096
if ((cp = buffer_get_string_ret(m, &len)) == NULL)
@@ -413,6 +418,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
xfree(cctx->env);
}
buffer_free(&cctx->cmd);
+ xfree(cctx);
return 0;
}