diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2012-10-05 14:46:36 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:11:03 +0100 |
commit | 46b2eb3c147a29478809f1ab95e924e1bb7e3768 (patch) | |
tree | 89b00bfeaef69a6a2c97e0e5c1cf41796957926d | |
parent | 6236001ff4f9017c9f842d6548baba9760c95f5c (diff) | |
download | libssh-46b2eb3c147a29478809f1ab95e924e1bb7e3768.tar.gz libssh-46b2eb3c147a29478809f1ab95e924e1bb7e3768.tar.xz libssh-46b2eb3c147a29478809f1ab95e924e1bb7e3768.zip |
CVE-2012-4559: Make sure we don't free name and longname twice on error.
-rw-r--r-- | src/sftp.c | 26 |
1 files changed, 16 insertions, 10 deletions
@@ -1203,8 +1203,8 @@ static char *sftp_parse_longname(const char *longname, so that number of pairs equals extended_count */ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, int expectname) { - ssh_string longname = NULL; - ssh_string name = NULL; + ssh_string longname; + ssh_string name; sftp_attributes attr; uint32_t flags = 0; int ok = 0; @@ -1219,19 +1219,27 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, /* This isn't really a loop, but it is like a try..catch.. */ do { if (expectname) { - if ((name = buffer_get_ssh_string(buf)) == NULL || - (attr->name = ssh_string_to_char(name)) == NULL) { - break; + name = buffer_get_ssh_string(buf); + if (name == NULL) { + break; } + attr->name = ssh_string_to_char(name); ssh_string_free(name); + if (attr->name == NULL) { + break; + } ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name); - if ((longname=buffer_get_ssh_string(buf)) == NULL || - (attr->longname=ssh_string_to_char(longname)) == NULL) { - break; + longname = buffer_get_ssh_string(buf); + if (longname == NULL) { + break; } + attr->longname = ssh_string_to_char(longname); ssh_string_free(longname); + if (attr->longname == NULL) { + break; + } /* Set owner and group if we talk to openssh and have the longname */ if (ssh_get_openssh_version(sftp->session)) { @@ -1336,8 +1344,6 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, if (!ok) { /* break issued somewhere */ - ssh_string_free(name); - ssh_string_free(longname); ssh_string_free(attr->extended_type); ssh_string_free(attr->extended_data); SAFE_FREE(attr->name); |