summaryrefslogtreecommitdiff
path: root/mux.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-07-06 13:44:43 +1000
committerDamien Miller <djm@mindrot.org>2012-07-06 13:44:43 +1000
commitab523b02467f36a2f85c1a8bff6cf2fd4297fb12 (patch)
treee8944e6d41815baeb1502138a38723fcbda36870 /mux.c
parentdfceafe8b11a4a1f9890a37e0cd88b01eb9cc30c (diff)
- djm@cvs.openbsd.org 2012/07/06 01:37:21
[mux.c] fix memory leak of passed-in environment variables and connection context when new session message is malformed; bz#2003 from Bert.Wesarg AT googlemail.com
Diffstat (limited to 'mux.c')
-rw-r--r--mux.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/mux.c b/mux.c
index 3dd5e262c..5e0e65ff3 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */ 1/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -316,6 +316,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
316 cctx->term = NULL; 316 cctx->term = NULL;
317 cctx->rid = rid; 317 cctx->rid = rid;
318 cmd = reserved = NULL; 318 cmd = reserved = NULL;
319 cctx->env = NULL;
320 env_len = 0;
319 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 321 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
320 buffer_get_int_ret(&cctx->want_tty, m) != 0 || 322 buffer_get_int_ret(&cctx->want_tty, m) != 0 ||
321 buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || 323 buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 ||
@@ -329,16 +331,19 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
329 xfree(cmd); 331 xfree(cmd);
330 if (reserved != NULL) 332 if (reserved != NULL)
331 xfree(reserved); 333 xfree(reserved);
334 for (j = 0; j < env_len; j++)
335 xfree(cctx->env[j]);
336 if (env_len > 0)
337 xfree(cctx->env);
332 if (cctx->term != NULL) 338 if (cctx->term != NULL)
333 xfree(cctx->term); 339 xfree(cctx->term);
340 xfree(cctx);
334 error("%s: malformed message", __func__); 341 error("%s: malformed message", __func__);
335 return -1; 342 return -1;
336 } 343 }
337 xfree(reserved); 344 xfree(reserved);
338 reserved = NULL; 345 reserved = NULL;
339 346
340 cctx->env = NULL;
341 env_len = 0;
342 while (buffer_len(m) > 0) { 347 while (buffer_len(m) > 0) {
343#define MUX_MAX_ENV_VARS 4096 348#define MUX_MAX_ENV_VARS 4096
344 if ((cp = buffer_get_string_ret(m, &len)) == NULL) 349 if ((cp = buffer_get_string_ret(m, &len)) == NULL)
@@ -413,6 +418,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
413 xfree(cctx->env); 418 xfree(cctx->env);
414 } 419 }
415 buffer_free(&cctx->cmd); 420 buffer_free(&cctx->cmd);
421 xfree(cctx);
416 return 0; 422 return 0;
417 } 423 }
418 424