From 15d71a8c51b93efd169cb2779ba442abdbcd1f5f Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Tue, 13 Jan 2015 11:18:41 +0100 Subject: sftp: Fix memory leak on realloc failure If realloc of sftp->ext->name or sftp->ext->data fails, the memory previously allocated for the respective member is leaked. Fix this by storing the return value of realloc() in a temporary variable which only gets assigned to the respective sftp->ext member on success. Signed-off-by: Tobias Klauser Reviewed-by: Andreas Schneider --- src/sftp.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/sftp.c b/src/sftp.c index b57da645..072a844e 100644 --- a/src/sftp.c +++ b/src/sftp.c @@ -545,6 +545,7 @@ int sftp_init(sftp_session sftp) { rc = ssh_buffer_unpack(packet->payload, "s", &ext_name); while (rc == SSH_OK) { int count = sftp->ext->count; + char **tmp; rc = ssh_buffer_unpack(packet->payload, "s", &ext_data); if (rc == SSH_ERROR) { @@ -556,23 +557,25 @@ int sftp_init(sftp_session sftp) { ext_name, ext_data); count++; - sftp->ext->name = realloc(sftp->ext->name, count * sizeof(char *)); - if (sftp->ext->name == NULL) { + tmp = realloc(sftp->ext->name, count * sizeof(char *)); + if (tmp == NULL) { ssh_set_error_oom(sftp->session); SAFE_FREE(ext_name); SAFE_FREE(ext_data); return -1; } - sftp->ext->name[count - 1] = ext_name; + tmp[count - 1] = ext_name; + sftp->ext->name = tmp; - sftp->ext->data = realloc(sftp->ext->data, count * sizeof(char *)); - if (sftp->ext->data == NULL) { + tmp = realloc(sftp->ext->data, count * sizeof(char *)); + if (tmp == NULL) { ssh_set_error_oom(sftp->session); SAFE_FREE(ext_name); SAFE_FREE(ext_data); return -1; } - sftp->ext->data[count - 1] = ext_data; + tmp[count - 1] = ext_data; + sftp->ext->data = tmp; sftp->ext->count = count; -- cgit v1.2.3