3539 – sshbuf memory leak in recv_rexec_state()

Bug 3539 - sshbuf memory leak in recv_rexec_state()

Summary: sshbuf memory leak in recv_rexec_state()

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	9.1p1
Hardware:	All All

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-14 01:05 AEDT by Michael Rash
Modified:	2023-02-14 01:21 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
fix sshbuf memory leak in recv_rexec_state() (252 bytes, application/octet-stream) 2023-02-14 01:05 AEDT, Michael Rash	no flags	Details
fix sshbuf memory leak in recv_rexec_state() (228 bytes, patch) 2023-02-14 01:19 AEDT, Michael Rash	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Rash 2023-02-14 01:05:57 AEDT

Created attachment 3671 [details]
fix sshbuf memory leak in recv_rexec_state()

In recv_rexec_state() the sshbuf 'inc' is not free'd before returning. The attached trivial patch fixes this, and matches the behavior of send_rexec_state() which does free a similarly allocated buffer of the same name.

Comment 1 Michael Rash 2023-02-14 01:19:56 AEDT

Created attachment 3672 [details]
fix sshbuf memory leak in recv_rexec_state()

Here is a patch with tabs instead of spaces to align with coding style.

Comment 2 Michael Rash 2023-02-14 01:21:17 AEDT

(In reply to Michael Rash from comment #1)
> Created attachment 3672 [details]
> fix sshbuf memory leak in recv_rexec_state()
> 
> Here is a patch with tabs instead of spaces to align with coding
> style.

In recv_rexec_state() the sshbuf 'inc' is not free'd before returning. The attached trivial patch fixes this, and matches the behavior of send_rexec_state() which does free a similarly allocated buffer of the same name.