summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-07-06 13:44:43 +1000
committerDamien Miller <djm@mindrot.org>2012-07-06 13:44:43 +1000
commitab523b02467f36a2f85c1a8bff6cf2fd4297fb12 (patch)
treee8944e6d41815baeb1502138a38723fcbda36870
parentdfceafe8b11a4a1f9890a37e0cd88b01eb9cc30c (diff)
- djm@cvs.openbsd.org 2012/07/06 01:37:21
[mux.c] fix memory leak of passed-in environment variables and connection context when new session message is malformed; bz#2003 from Bert.Wesarg AT googlemail.com
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--mux.c12
2 files changed, 14 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 0d876d2ae..68811e63b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,11 @@
11 Add options to specify starting line number and number of lines to process 11 Add options to specify starting line number and number of lines to process
12 when screening moduli candidates. This allows processing of different 12 when screening moduli candidates. This allows processing of different
13 parts of a candidate moduli file in parallel. man page help jmc@, ok djm@ 13 parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
14 - djm@cvs.openbsd.org 2012/07/06 01:37:21
15 [mux.c]
16 fix memory leak of passed-in environment variables and connection
17 context when new session message is malformed; bz#2003 from Bert.Wesarg
18 AT googlemail.com
14 19
1520120704 2020120704
16 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for 21 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
diff --git a/mux.c b/mux.c
index 3dd5e262c..5e0e65ff3 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */ 1/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -316,6 +316,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
316 cctx->term = NULL; 316 cctx->term = NULL;
317 cctx->rid = rid; 317 cctx->rid = rid;
318 cmd = reserved = NULL; 318 cmd = reserved = NULL;
319 cctx->env = NULL;
320 env_len = 0;
319 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 321 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
320 buffer_get_int_ret(&cctx->want_tty, m) != 0 || 322 buffer_get_int_ret(&cctx->want_tty, m) != 0 ||
321 buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || 323 buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 ||
@@ -329,16 +331,19 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
329 xfree(cmd); 331 xfree(cmd);
330 if (reserved != NULL) 332 if (reserved != NULL)
331 xfree(reserved); 333 xfree(reserved);
334 for (j = 0; j < env_len; j++)
335 xfree(cctx->env[j]);
336 if (env_len > 0)
337 xfree(cctx->env);
332 if (cctx->term != NULL) 338 if (cctx->term != NULL)
333 xfree(cctx->term); 339 xfree(cctx->term);
340 xfree(cctx);
334 error("%s: malformed message", __func__); 341 error("%s: malformed message", __func__);
335 return -1; 342 return -1;
336 } 343 }
337 xfree(reserved); 344 xfree(reserved);
338 reserved = NULL; 345 reserved = NULL;
339 346
340 cctx->env = NULL;
341 env_len = 0;
342 while (buffer_len(m) > 0) { 347 while (buffer_len(m) > 0) {
343#define MUX_MAX_ENV_VARS 4096 348#define MUX_MAX_ENV_VARS 4096
344 if ((cp = buffer_get_string_ret(m, &len)) == NULL) 349 if ((cp = buffer_get_string_ret(m, &len)) == NULL)
@@ -413,6 +418,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
413 xfree(cctx->env); 418 xfree(cctx->env);
414 } 419 }
415 buffer_free(&cctx->cmd); 420 buffer_free(&cctx->cmd);
421 xfree(cctx);
416 return 0; 422 return 0;
417 } 423 }
418 424
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 10:30:38 +0000