Potential memory leak in sshd [detected by melton]

Alan Barrett apb at cequrux.com
Mon Feb 6 22:26:02 EST 2012


On Mon, 06 Feb 2012, ngel Gonzlez wrote:
>>     The 10th report is another false positive:
>>     Logic error 	Memory leak 	auth-options.i 	10587 	28 	View Report
>>     <http://lcs.ios.ac.cn/%7Exuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-mVEeJj.html#EndPath>
>>
>>
>>     http://lcs.ios.ac.cn/~xuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-mVEeJj.html#EndPath
>>     <http://lcs.ios.ac.cn/%7Exuzb/bugsfound/memleak/openssh-5.9p1/realbugs/sshd/report-mVEeJj.html#EndPath>
>>
>>     Melton complains that in line 10587 the memory of data wasn't
>>     released, but there's a call to buffer_free(&data);
>>     in line 10585.

Similarly to several of the other cases, this leak occurs only 
with unusual input.  If "source-address" appears twice in the 
options, then the allocation in line 10505 occurs twice; the first 
allocation leaks, and the second allocation is freed later.

The presence of both "7 Taking true branch" and "21 Taking true 
branch" at line 10504 is the clue that this leak occurs when 
"source-address" appears twice.

--apb (Alan Barrett)


More information about the openssh-unix-dev mailing list