In the else loop, the args.list is set to NULL without releasing memory resulting in a memory leak. static struct sftp_conn * do_sftp_connect(char *host, char *user, int port, char *sftp_direct, int *reminp, int *remoutp, int *pidp) { if (sftp_direct == NULL) { if (do_cmd(ssh_program, host, user, port, 1, "sftp", reminp, remoutp, pidp) < 0) return NULL; } else { args.list = NULL; addargs(&args, "sftp-server"); if (do_cmd(sftp_direct, host, NULL, -1, 0, "sftp", reminp, remoutp, pidp) < 0) return NULL; } return do_init(*reminp, *remoutp, 32768, 64, limit_kbps); }
Created attachment 3585 [details] use freeargs(), more addargs(), etc paranoia
Thanks - fix has been applied and will be in OpenSSH 9.0 commit 16ea8b85838dd7a4dbeba4e51ac4f43fd68b1e5b (HEAD -> master, origin/master, origin/HEAD) Author: djm@openbsd.org <djm@openbsd.org> Date: Sun Mar 20 08:52:17 2022 +0000 upstream: don't leak argument list; bz3404, reported by Balu Gajjala ok dtucker@ OpenBSD-Commit-ID: fddc32d74e5dd5cff1a49ddd6297b0867eae56a6
Closing bugs from OpenSSH 9.1 release cycle