diff options
| author | Damien Miller <djm@mindrot.org> | 2012-07-06 13:44:43 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-07-06 13:44:43 +1000 |
| commit | ab523b02467f36a2f85c1a8bff6cf2fd4297fb12 (patch) | |
| tree | e8944e6d41815baeb1502138a38723fcbda36870 /mux.c | |
| parent | dfceafe8b11a4a1f9890a37e0cd88b01eb9cc30c (diff) | |
- djm@cvs.openbsd.org 2012/07/06 01:37:21
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
Diffstat (limited to 'mux.c')
| -rw-r--r-- | mux.c | 12 |
1 files changed, 9 insertions, 3 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */ | 1 | /* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> | 3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> |
| 4 | * | 4 | * |
| @@ -316,6 +316,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
| 316 | cctx->term = NULL; | 316 | cctx->term = NULL; |
| 317 | cctx->rid = rid; | 317 | cctx->rid = rid; |
| 318 | cmd = reserved = NULL; | 318 | cmd = reserved = NULL; |
| 319 | cctx->env = NULL; | ||
| 320 | env_len = 0; | ||
| 319 | if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || | 321 | if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || |
| 320 | buffer_get_int_ret(&cctx->want_tty, m) != 0 || | 322 | buffer_get_int_ret(&cctx->want_tty, m) != 0 || |
| 321 | buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || | 323 | buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || |
| @@ -329,16 +331,19 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
| 329 | xfree(cmd); | 331 | xfree(cmd); |
| 330 | if (reserved != NULL) | 332 | if (reserved != NULL) |
| 331 | xfree(reserved); | 333 | xfree(reserved); |
| 334 | for (j = 0; j < env_len; j++) | ||
| 335 | xfree(cctx->env[j]); | ||
| 336 | if (env_len > 0) | ||
| 337 | xfree(cctx->env); | ||
| 332 | if (cctx->term != NULL) | 338 | if (cctx->term != NULL) |
| 333 | xfree(cctx->term); | 339 | xfree(cctx->term); |
| 340 | xfree(cctx); | ||
| 334 | error("%s: malformed message", __func__); | 341 | error("%s: malformed message", __func__); |
| 335 | return -1; | 342 | return -1; |
| 336 | } | 343 | } |
| 337 | xfree(reserved); | 344 | xfree(reserved); |
| 338 | reserved = NULL; | 345 | reserved = NULL; |
| 339 | 346 | ||
| 340 | cctx->env = NULL; | ||
| 341 | env_len = 0; | ||
| 342 | while (buffer_len(m) > 0) { | 347 | while (buffer_len(m) > 0) { |
| 343 | #define MUX_MAX_ENV_VARS 4096 | 348 | #define MUX_MAX_ENV_VARS 4096 |
| 344 | if ((cp = buffer_get_string_ret(m, &len)) == NULL) | 349 | if ((cp = buffer_get_string_ret(m, &len)) == NULL) |
| @@ -413,6 +418,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
| 413 | xfree(cctx->env); | 418 | xfree(cctx->env); |
| 414 | } | 419 | } |
| 415 | buffer_free(&cctx->cmd); | 420 | buffer_free(&cctx->cmd); |
| 421 | xfree(cctx); | ||
| 416 | return 0; | 422 | return 0; |
| 417 | } | 423 | } |
| 418 | 424 | ||