From 7c79b5c154ce2788cf5254a62468fee5112f7640 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Tue, 25 Apr 2017 16:20:06 +0200
Subject: messages: Do not leak memory of previously allocated answers

Found by ozz-fuzz

BUG: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1222

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/messages.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/messages.c b/src/messages.c
index b953ee6d..3ed912fd 100644
--- a/src/messages.c
+++ b/src/messages.c
@@ -969,6 +969,15 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
 
       goto error;
     }
+  } else if (session->kbdint->nanswers > 0) {
+      uint32_t n;
+
+      for (n = 0; n < session->kbdint->nanswers; n++) {
+            BURN_STRING(session->kbdint->answers[n]);
+            SAFE_FREE(session->kbdint->answers[n]);
+      }
+      SAFE_FREE(session->kbdint->answers);
+      session->kbdint->nanswers = 0;
   }
 
   SSH_LOG(SSH_LOG_PACKET,"kbdint: %d answers",nanswers);
@@ -989,7 +998,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
   }
   session->kbdint->nanswers = nanswers;
 
-  SAFE_FREE(session->kbdint->answers);
   session->kbdint->answers = calloc(1, nanswers * sizeof(char *));
   if (session->kbdint->answers == NULL) {
     session->kbdint->nanswers = 0;
@@ -1010,7 +1018,6 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
 
       goto error;
     }
-    SAFE_FREE(session->kbdint->answers[i]);
     session->kbdint->answers[i] = ssh_string_to_char(tmp);
     ssh_string_free(tmp);
     if (session->kbdint->answers[i] == NULL) {
-- 
cgit v1.2.3