aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2012-10-05 14:46:36 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:11:03 +0100
commit46b2eb3c147a29478809f1ab95e924e1bb7e3768 (patch)
tree89b00bfeaef69a6a2c97e0e5c1cf41796957926d
parent6236001ff4f9017c9f842d6548baba9760c95f5c (diff)
downloadlibssh-46b2eb3c147a29478809f1ab95e924e1bb7e3768.tar.gz
libssh-46b2eb3c147a29478809f1ab95e924e1bb7e3768.tar.xz
libssh-46b2eb3c147a29478809f1ab95e924e1bb7e3768.zip
CVE-2012-4559: Make sure we don't free name and longname twice on error.
-rw-r--r--src/sftp.c26
1 files changed, 16 insertions, 10 deletions
diff --git a/src/sftp.c b/src/sftp.c
index d41b6431..99129580 100644
--- a/src/sftp.c
+++ b/src/sftp.c
@@ -1203,8 +1203,8 @@ static char *sftp_parse_longname(const char *longname,
so that number of pairs equals extended_count */
static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
int expectname) {
- ssh_string longname = NULL;
- ssh_string name = NULL;
+ ssh_string longname;
+ ssh_string name;
sftp_attributes attr;
uint32_t flags = 0;
int ok = 0;
@@ -1219,19 +1219,27 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
/* This isn't really a loop, but it is like a try..catch.. */
do {
if (expectname) {
- if ((name = buffer_get_ssh_string(buf)) == NULL ||
- (attr->name = ssh_string_to_char(name)) == NULL) {
- break;
+ name = buffer_get_ssh_string(buf);
+ if (name == NULL) {
+ break;
}
+ attr->name = ssh_string_to_char(name);
ssh_string_free(name);
+ if (attr->name == NULL) {
+ break;
+ }
ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name);
- if ((longname=buffer_get_ssh_string(buf)) == NULL ||
- (attr->longname=ssh_string_to_char(longname)) == NULL) {
- break;
+ longname = buffer_get_ssh_string(buf);
+ if (longname == NULL) {
+ break;
}
+ attr->longname = ssh_string_to_char(longname);
ssh_string_free(longname);
+ if (attr->longname == NULL) {
+ break;
+ }
/* Set owner and group if we talk to openssh and have the longname */
if (ssh_get_openssh_version(sftp->session)) {
@@ -1336,8 +1344,6 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
if (!ok) {
/* break issued somewhere */
- ssh_string_free(name);
- ssh_string_free(longname);
ssh_string_free(attr->extended_type);
ssh_string_free(attr->extended_data);
SAFE_FREE(attr->name);