During initialization there a memory leak occurs in ssh_set_newkeys(). During startup ssh_set_newkeys() is called twice, once with MODE_OUT and once with MODE_IN. Accordingly the ccp pointer points to state->send_context and state->receive_context At this time state->newkeys[mode] is stil NULL, so the if-clause ("rekeying") does not apply. Further down cipher_init(ccp, ) is called. First thing that cipher_init() does is setting *ccp= NULL; which is be equivalent to "state->send_context= NULL" (or "state->send_context= NULL"). These point to memory blocks already. The pointers are lost, the memory leaks. Proposal: move cipher_free(*ccp); *ccp = NULL; from the "rekeying" if-clause and place these two lines before calling cipher_init(). Alternately add if (*ccp!=NULL) { cipher_free(*ccp); *ccp = NULL; } before calling cipher_init().
Created attachment 3215 [details] patch to fix memory leak (proposal 1).
This was fixed back in OpenSSH 8.0 last year, but I forgot to update this bug at the time. Thanks!
closing resolved bugs as of 8.6p1 release
[spam removed]