From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 1 Jul 2022 03:35:45 +0000 Subject: [PATCH] upstream: Always return allocated strings from the kex filtering so that we can free them later. Fix one leak in compat_kex_proposal. Based on github PR#324 from ZoltanFridrich with some simplications by me. ok djm@ OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4 --- compat.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/compat.c b/compat.c index 0dbea68c6..46dfe3a9c 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version) debug_f("no match: %s", version); } +/* Always returns pointer to allocated memory, caller must free. */ char * compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) { if (!(ssh->compat & SSH_BUG_BIGENDIANAES)) - return cipher_prop; + return xstrdup(cipher_prop); debug2_f("original cipher proposal: %s", cipher_prop); if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) fatal("match_filter_denylist failed"); @@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) return cipher_prop; } +/* Always returns pointer to allocated memory, caller must free. */ char * compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) { if (!(ssh->compat & SSH_BUG_RSASIGMD5)) - return pkalg_prop; + return xstrdup(pkalg_prop); debug2_f("original public key proposal: %s", pkalg_prop); if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) fatal("match_filter_denylist failed"); @@ -184,21 +186,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) return pkalg_prop; } +/* Always returns pointer to allocated memory, caller must free. */ char * compat_kex_proposal(struct ssh *ssh, char *p) { + char *cp = NULL; + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) - return p; + return xstrdup(p); debug2_f("original KEX proposal: %s", p); if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) if ((p = match_filter_denylist(p, "curve25519-sha256@libssh.org")) == NULL) fatal("match_filter_denylist failed"); if ((ssh->compat & SSH_OLD_DHGEX) != 0) { + cp = p; if ((p = match_filter_denylist(p, "diffie-hellman-group-exchange-sha256," "diffie-hellman-group-exchange-sha1")) == NULL) fatal("match_filter_denylist failed"); + free(cp); } debug2_f("compat KEX proposal: %s", p); if (*p == '\0')