upstream: Plug mem leaks on error paths, based in part on github

pr#120 from David Carlier. ok djm@. OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e
2019-09-13 04:36:43 +00:00 · 2019-09-13 04:36:43 +00:00 · b36ee3fcb2
parent 2aefdf1aef
commit b36ee3fcb2
2 changed files with 21 additions and 16 deletions
--- a/auth-options.c
+++ b/auth-options.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.88 2019/09/06 04:53:27 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */
 /*
 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
 *
@ -266,6 +266,7 @@ handle_permit(const char **optsp, int allow_bare_port,
 		 * listen_host wildcard.
 		 */
 		if (asprintf(&tmp, "*:%s", opt) == -1) {
 			free(opt);
 			*errstrp = "memory allocation failed";
 			return -1;
 		}
--- a/ssh_api.c
+++ b/ssh_api.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh_api.c,v 1.17 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.18 2019/09/13 04:36:43 dtucker Exp $ */
 /*
 * Copyright (c) 2012 Markus Friedl.  All rights reserved.
 *
@ -330,8 +330,8 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
 	const char *mismatch = "Protocol mismatch.\r\n";
 	const u_char *s = sshbuf_ptr(input);
 	u_char c;
-	char *cp, *remote_version;
+	char *cp = NULL, *remote_version = NULL;
-	int r, remote_major, remote_minor, expect_nl;
+	int r = 0, remote_major, remote_minor, expect_nl;
 	size_t n, j;
 	for (j = n = 0;;) {
@ -357,10 +357,8 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
 		if (sshbuf_len(banner) >= 4 &&
 		    memcmp(sshbuf_ptr(banner), "SSH-", 4) == 0)
 			break;
-		if ((cp = sshbuf_dup_string(banner)) == NULL)
+		debug("%s: %.*s", __func__, (int)sshbuf_len(banner),
-			return SSH_ERR_ALLOC_FAIL;
+		    sshbuf_ptr(banner));
 		debug("%s: %s", __func__, cp);
 		free(cp);
 		/* Accept lines before banner only on client */
 		if (ssh->kex->server || ++n > SSH_MAX_PRE_BANNER_LINES) {
  bad:
@ -373,19 +371,22 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
 	if ((r = sshbuf_consume(input, j)) != 0)
 		return r;
 	if ((cp = sshbuf_dup_string(banner)) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
 	/* XXX remote version must be the same size as banner for sscanf */
-	if ((remote_version = calloc(1, sshbuf_len(banner))) == NULL)
+	if ((cp = sshbuf_dup_string(banner)) == NULL ||
-		return SSH_ERR_ALLOC_FAIL;
+	    (remote_version = calloc(1, sshbuf_len(banner))) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 	/*
 	 * Check that the versions match.  In future this might accept
 	 * several versions and set appropriate flags to handle them.
 	 */
 	if (sscanf(cp, "SSH-%d.%d-%[^\n]\n",
-	    &remote_major, &remote_minor, remote_version) != 3)
+	    &remote_major, &remote_minor, remote_version) != 3) {
-		return SSH_ERR_INVALID_FORMAT;
+		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
 	debug("Remote protocol version %d.%d, remote software version %.100s",
 	    remote_major, remote_minor, remote_version);
@ -395,10 +396,13 @@ _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
 		remote_minor = 0;
 	}
 	if (remote_major != 2)
-		return SSH_ERR_PROTOCOL_MISMATCH;
+		r = SSH_ERR_PROTOCOL_MISMATCH;
 	debug("Remote version string %.100s", cp);
 out:
 	free(cp);
-	return 0;
+	free(remote_version);
 	return r;
 }
 /* Send our own protocol version identification. */