Potential memory leak in sshd [detected by melton]

Zhenbo Xu zhenbo1987 at gmail.com
Mon Feb 6 20:09:10 EST 2012


2012/2/6 Ángel González <keisial at gmail.com>

>  On 06/02/12 03:30, Zhenbo Xu wrote:
>
>     The 10th report is another false positive:
>>   Logic error Memory leak auth-options.i 10587 28 View Report<http://lcs.ios.ac.cn/%7Exuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-mVEeJj.html#EndPath>
>> http://lcs.ios.ac.cn/~xuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-mVEeJj.html#EndPath
>>
>> Melton complains that in line 10587 the memory of data wasn't released,
>> but there's a call to buffer_free(&data);
>> in line 10585.
>>
>>
>  What melton complains is the heap object returned by
> buffer_get_cstring_ret<http://lcs.ios.ac.cn/%7Exuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/linked_files/linked-TOML0p.html#Path29_2> wasn't
> released.
>
> You are right. I missed that it was about allowed.
> However, Melton is doing:
>
>    switch (addr_match_cidr_list(remote_ip,
>     11
>  Control jumps to 'case 1:' at line 10525
>   10524 allowed)) {  10525 case 1:  10526   10527 xfree(allowed);  10528
> break;
>     12
>  Execution continues on line 10548
>
> Where it is freed (and add_match_cidr_list can only return -1, 0 or 1 so
> all cases are covered).
>
> Then it seems to do another loop where buffer_get_cstring_ret<http://lcs.ios.ac.cn/%7Exuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/linked_files/linked-TOML0p.html#Path29_2>returns NULL, so nothing was allocated.
>
> I still don't see the leak.
>
>
What if line 10511 takes the true branch, and it just "goto out"in line
10514 without releasing allowed.



-- 
Zhenbo Xu


More information about the openssh-unix-dev mailing list