diff options
author | Damien Miller <djm@mindrot.org> | 2012-07-06 13:44:43 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2012-07-06 13:44:43 +1000 |
commit | ab523b02467f36a2f85c1a8bff6cf2fd4297fb12 (patch) | |
tree | e8944e6d41815baeb1502138a38723fcbda36870 /mux.c | |
parent | dfceafe8b11a4a1f9890a37e0cd88b01eb9cc30c (diff) |
- djm@cvs.openbsd.org 2012/07/06 01:37:21
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
Diffstat (limited to 'mux.c')
-rw-r--r-- | mux.c | 12 |
1 files changed, 9 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: mux.c,v 1.35 2012/06/01 01:01:22 djm Exp $ */ | 1 | /* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> | 3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> |
4 | * | 4 | * |
@@ -316,6 +316,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
316 | cctx->term = NULL; | 316 | cctx->term = NULL; |
317 | cctx->rid = rid; | 317 | cctx->rid = rid; |
318 | cmd = reserved = NULL; | 318 | cmd = reserved = NULL; |
319 | cctx->env = NULL; | ||
320 | env_len = 0; | ||
319 | if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || | 321 | if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || |
320 | buffer_get_int_ret(&cctx->want_tty, m) != 0 || | 322 | buffer_get_int_ret(&cctx->want_tty, m) != 0 || |
321 | buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || | 323 | buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || |
@@ -329,16 +331,19 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
329 | xfree(cmd); | 331 | xfree(cmd); |
330 | if (reserved != NULL) | 332 | if (reserved != NULL) |
331 | xfree(reserved); | 333 | xfree(reserved); |
334 | for (j = 0; j < env_len; j++) | ||
335 | xfree(cctx->env[j]); | ||
336 | if (env_len > 0) | ||
337 | xfree(cctx->env); | ||
332 | if (cctx->term != NULL) | 338 | if (cctx->term != NULL) |
333 | xfree(cctx->term); | 339 | xfree(cctx->term); |
340 | xfree(cctx); | ||
334 | error("%s: malformed message", __func__); | 341 | error("%s: malformed message", __func__); |
335 | return -1; | 342 | return -1; |
336 | } | 343 | } |
337 | xfree(reserved); | 344 | xfree(reserved); |
338 | reserved = NULL; | 345 | reserved = NULL; |
339 | 346 | ||
340 | cctx->env = NULL; | ||
341 | env_len = 0; | ||
342 | while (buffer_len(m) > 0) { | 347 | while (buffer_len(m) > 0) { |
343 | #define MUX_MAX_ENV_VARS 4096 | 348 | #define MUX_MAX_ENV_VARS 4096 |
344 | if ((cp = buffer_get_string_ret(m, &len)) == NULL) | 349 | if ((cp = buffer_get_string_ret(m, &len)) == NULL) |
@@ -413,6 +418,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
413 | xfree(cctx->env); | 418 | xfree(cctx->env); |
414 | } | 419 | } |
415 | buffer_free(&cctx->cmd); | 420 | buffer_free(&cctx->cmd); |
421 | xfree(cctx); | ||
416 | return 0; | 422 | return 0; |
417 | } | 423 | } |
418 | 424 | ||