From c3903c38b0fd168ab3d925c2b129d1a599593426 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 13 Aug 2018 02:41:05 +0000
Subject: upstream: revert compat.[ch] section of the following change. It

causes double-free under some circumstances.

--

date: 2018/07/31 03:07:24;  author: djm;  state: Exp;  lines: +33 -18;  commitid: f7g4UI8eeOXReTPh;
fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@

OpenBSD-Commit-ID: 1e77547f60fdb5e2ffe23e2e4733c54d8d2d1137
---
 compat.c | 51 ++++++++++++++++++---------------------------------
 1 file changed, 18 insertions(+), 33 deletions(-)

(limited to 'compat.c')

diff --git a/compat.c b/compat.c
index 563e13331..0624dc6de 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.112 2018/07/31 03:07:24 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.113 2018/08/13 02:41:05 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -184,17 +184,13 @@ proto_spec(const char *spec)
 }
 
 char *
-compat_cipher_proposal(char *cipher_prop, u_int compat)
+compat_cipher_proposal(char *cipher_prop)
 {
-	char *cp;
-
-	if (!(compat & SSH_BUG_BIGENDIANAES))
+	if (!(datafellows & SSH_BUG_BIGENDIANAES))
 		return cipher_prop;
 	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
-	if ((cp = match_filter_blacklist(cipher_prop, "aes*")) == NULL)
+	if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL)
 		fatal("match_filter_blacklist failed");
-	free(cipher_prop);
-	cipher_prop = cp;
 	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
 	if (*cipher_prop == '\0')
 		fatal("No supported ciphers found");
@@ -202,17 +198,13 @@ compat_cipher_proposal(char *cipher_prop, u_int compat)
 }
 
 char *
-compat_pkalg_proposal(char *pkalg_prop, u_int compat)
+compat_pkalg_proposal(char *pkalg_prop)
 {
-	char *cp;
-
-	if (!(compat & SSH_BUG_RSASIGMD5))
+	if (!(datafellows & SSH_BUG_RSASIGMD5))
 		return pkalg_prop;
 	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
-	if ((cp = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL)
+	if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL)
 		fatal("match_filter_blacklist failed");
-	free(pkalg_prop);
-	pkalg_prop = cp;
 	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
 	if (*pkalg_prop == '\0')
 		fatal("No supported PK algorithms found");
@@ -220,31 +212,24 @@ compat_pkalg_proposal(char *pkalg_prop, u_int compat)
 }
 
 char *
-compat_kex_proposal(char *kex_prop, u_int compat)
+compat_kex_proposal(char *p)
 {
-	char *cp;
-
-	if ((compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
-		return kex_prop;
-	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-	if ((compat & SSH_BUG_CURVE25519PAD) != 0) {
-		if ((cp = match_filter_blacklist(kex_prop,
+	if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+		return p;
+	debug2("%s: original KEX proposal: %s", __func__, p);
+	if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
+		if ((p = match_filter_blacklist(p,
 		    "curve25519-sha256@libssh.org")) == NULL)
 			fatal("match_filter_blacklist failed");
-		free(kex_prop);
-		kex_prop = cp;
-	}
-	if ((compat & SSH_OLD_DHGEX) != 0) {
-		if ((cp = match_filter_blacklist(kex_prop,
+	if ((datafellows & SSH_OLD_DHGEX) != 0) {
+		if ((p = match_filter_blacklist(p,
 		    "diffie-hellman-group-exchange-sha256,"
 		    "diffie-hellman-group-exchange-sha1")) == NULL)
 			fatal("match_filter_blacklist failed");
-		free(kex_prop);
-		kex_prop = cp;
 	}
-	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-	if (*kex_prop == '\0')
+	debug2("%s: compat KEX proposal: %s", __func__, p);
+	if (*p == '\0')
 		fatal("No supported key exchange algorithms found");
-	return kex_prop;
+	return p;
 }
 
-- 
cgit v1.2.3