[PATCH 7/12] bugfix: openssh-4.3p2

Kylene Jo Hall kjhall at us.ibm.com
Tue May 16 06:19:14 EST 2006


There are several memory management bugs here. First, the variable tmp
is allocated by infer_path.  In one path this allocating function is
called again on the same variable without freeing the first instance.
In another path the variable is just not freed.  The fix is to add the
xfree before the second call to infer_path and to move the existing
xfree to cover both paths (in one case this is on the result of the
first infer_path in the second it is on the second call.

The second bug is deadcode.  The abs_dst variable has always been freed
by the time the value is checked to call xfree before return. 

This patch fixes both bugs.  This entire set of patches passed the
regression tests on my system. Bug found by Coverity.

Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
--- 
 sftp.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff -uprN openssh-4.3p2/sftp.c openssh-4.3p2-kylie/sftp.c
--- openssh-4.3p2/sftp.c	2006-01-31 04:49:28.000000000 -0600
+++ openssh-4.3p2-kylie/sftp.c	2006-05-08 15:01:49.907239064 -0500
@@ -539,14 +539,15 @@ process_get(struct sftp_conn *conn, char
 		if (g.gl_matchc == 1 && dst) {
 			/* If directory specified, append filename */
 			if (is_dir(dst)) {
+				xfree(tmp);
 				if (infer_path(g.gl_pathv[0], &tmp)) {
 					err = 1;
 					goto out;
 				}
 				abs_dst = path_append(dst, tmp);
-				xfree(tmp);
 			} else
 				abs_dst = xstrdup(dst);
+			xfree(tmp);
 		} else if (dst) {
 			abs_dst = path_append(dst, tmp);
 			xfree(tmp);
@@ -562,8 +563,6 @@ process_get(struct sftp_conn *conn, char
 
 out:
 	xfree(abs_src);
-	if (abs_dst)
-		xfree(abs_dst);
 	globfree(&g);
 	return(err);
 }





More information about the openssh-unix-dev mailing list