[PATCH] fix memory leak in mux_client_request_stdio_fwd

[Boris Tonofa]

Hi,

This patch fixes a memory leak in mux_client_request_stdio_fwd().

If mux_client_read_packet() returned early due to EPIPE or EINTR, the 
function exited without freeing the buffer allocated with sshbuf_new(). 
This patch ensures the sshbuf is always freed on all return paths.

The patch applies cleanly to current master and passes all CI tests.

GitHub mirror PR (with CI results):
   https://github.com/openssh/openssh-portable/pull/575

Please review.

Thanks,
Boris


 From 65fcdc9253518912d859bd6427a9c24d786da4e2 Mon Sep 17 00:00:00 2001
From: Boris Tonofa <b.tonofa at ideco.ru>
Date: Fri, 13 Jun 2025 00:06:32 +0300
Subject: [PATCH] fix memory leak in mux_client_request_stdio_fwd

---
  mux.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mux.c b/mux.c
index 415024f74..1069e3df4 100644
--- a/mux.c
+++ b/mux.c
@@ -2202,8 +2202,10 @@ mux_client_request_stdio_fwd(int fd)
  	sshbuf_reset(m);
  	if (mux_client_read_packet(fd, m) != 0) {
  		if (errno == EPIPE ||
-		    (errno == EINTR && muxclient_terminate != 0))
+		    (errno == EINTR && muxclient_terminate != 0)) {
+			sshbuf_free(m);
  			return 0;
+		}
  		fatal_f("mux_client_read_packet: %s", strerror(errno));
  	}
  	fatal_f("master returned unexpected message %u", type);
-- 
2.47.0