[PATCH 7/12] bugfix: openssh-4.3p2

There are several memory management bugs here. First, the variable tmp
is allocated by infer_path. In one path this allocating function is
called again on the same variable without freeing the first instance.
In another path the variable is just not freed. The fix is to add the
xfree before the second call to infer_path and to move the existing
xfree to cover both paths (in one case this is on the result of the
first infer_path in the second it is on the second call.

The second bug is deadcode. The abs_dst variable has always been freed
by the time the value is checked to call xfree before return.

This patch fixes both bugs. This entire set of patches passed the
regression tests on my system. Bug found by Coverity.

Signed-off-by: Kylene Hall <kjhall@us.ibm.com>
---
sftp.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)

diff -uprN openssh-4.3p2/sftp.c openssh-4.3p2-kylie/sftp.c
--- openssh-4.3p2/sftp.c 2006-01-31 04:49:28.000000000 -0600
+++ openssh-4.3p2-kylie/sftp.c 2006-05-08 15:01:49.907239064 -0500
@@ -539,14 +539,15 @@ process_get(struct sftp_conn *conn, char
if (g.gl_matchc == 1 && dst) {
/* If directory specified, append filename */
if (is_dir(dst)) {
+ xfree(tmp);
if (infer_path(g.gl_pathv[0], &tmp)) {
err = 1;
goto out;
}
abs_dst = path_append(dst, tmp);
- xfree(tmp);
} else
abs_dst = xstrdup(dst);
+ xfree(tmp);
} else if (dst) {
abs_dst = path_append(dst, tmp);
xfree(tmp);
@@ -562,8 +563,6 @@ process_get(struct sftp_conn *conn, char

out:
xfree(abs_src);
- if (abs_dst)
- xfree(abs_dst);
globfree(&g);
return(err);
}


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev