[PATCH 9/12] bug fix: openssh 4.3p2 possible NULL dereference

[Kylene Jo Hall]

key is freed outside of the if that checks if key is NULL therefore,
NULL could be sent to the key_free function which will not handle it
correctly.  The fix is to move key_free to a place where you know key is
not NULL.  This patch moves the key_free call.  This entire set of
patches passed the regression tests on my system. Bug found by Coverity.

Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
---
ssh-agent.c |    2 +-
1 files changed, 1 insertion(+), 1 deletion(-)

diff -uprN openssh-4.3p2/ssh-agent.c openssh-4.3p2-kylie/ssh-agent.c
--- openssh-4.3p2/ssh-agent.c	2005-11-04 22:15:00.000000000 -0600
+++ openssh-4.3p2-kylie/ssh-agent.c	2006-05-04 15:05:48.000000000 -0500
@@ -305,8 +305,8 @@ process_sign_request2(SocketEntry *e)
 		Identity *id = lookup_identity(key, 2);
 		if (id != NULL && (!id->confirm || confirm_key(id) == 0))
 			ok = key_sign(id->key, &signature, &slen, data, dlen);
+		key_free(key);
 	}
-	key_free(key);
 	buffer_init(&msg);
 	if (ok == 0) {
 		buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE);