Potential memory leak in sshd [detected by melton]

Ángel González keisial at gmail.com
Mon Feb 6 08:34:30 EST 2012


On 04/02/12 02:55, Zhenbo Xu wrote:
> The url below is the index of bug reports that are checked as real
> bugs manually.
>
> http://lcs.ios.ac.cn/~xuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/index.html
>
> Shall we fix these bugs? Or just let them go since they are not so serious?
>
> Hope for your replies!

The seventh report is not complete, but seem a genuine leak:
Logic error 	Memory leak 	auth2-chall.i 	9868 	5 	View Report
<http://lcs.ios.ac.cn/%7Exuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-0o5DSr.html#EndPath>


http://lcs.ios.ac.cn/~xuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-0o5DSr.html#EndPath

Melton complains that authctxt->kbdintctxt is never freed.
The return value passes authctxt to auth2_challenge_start(), and
auth2_challenge_start() may call
auth2_challenge_stop(), which frees it (line 9878) [melton doesn't
realise this].
In the path where it doesn't free it, it sets authctxt->postponed and
returns 0 to userauth_kbdint(),
itself called from input_userauth_request() at auth2.c line 283.
There then calls userauth_finish() at line 285. Which return in line 336.
And input_userauth_request() finishes with authctxt getting out of
scope, without authctxt->kbdintctxt
having been freed.



More information about the openssh-unix-dev mailing list