two minor memory leaks

Pete Flugstad peteflugstad at
Fri Jan 16 01:17:41 EST 2004

I think I've found two minor memory management issues (neither 
exploitable in any way) in OpenSSH 3.7.1p2 that should probably be 

In serverloop.c, function server_input_channel_open(), the ctype 
variable is a char *, dynamically allocated in packet_get_string.  It's 
xfree'd at the end of the function.  However, before that, it's passed 
to server_request_session/server_request_direct_tcpip, which call 
either channel_new or channel_connect_to, passing in ctype.  The channel 
structure keeps a pointer to ctype, so when server_input_channel_open 
returns, and xfree's the ctype pointer, the pointer held by the channel 
structure is now pointing at free'd memory.  The channel never appears 
to use the ctype at all (at least on the server side), so it's probably 
not a problem, but it probably should be fixed for the future.

In auth2-pubkey.c, the function userauth_pubkey(), around line 98 
(inside the have_sig condition) buffer_init is called in the b variable 
- this malloc's a buffer of 4096 bytes.  Later, around line 128, buffer 
clear is called.  This resets the internal buffer pointers, but does not 
free the malloc'd memory.  I believe this should be buffer_free, as the 
variable is not used again, and no pointers are kept to it's malloc'd 
data.  When the function returns, the pointer to the malloc'd data is lost.


More information about the openssh-unix-dev mailing list