File libssh-CVE-2025-8277.patch of Package libssh.40781

From ccff22d3787c1355b3f0dcd09fe54d90acc55bf1 Mon Sep 17 00:00:00 2001
From: Francesco Rollo <eferollo@gmail.com>
Date: Thu, 24 Jul 2025 16:30:07 +0300
Subject: [PATCH 10/20] CVE-2025-8277: Fix memory leak of unused ephemeral key
 pair after client's wrong KEX guess

Signed-off-by: Francesco Rollo <eferollo@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

Index: libssh-0.6.3/src/ecdh.c
===================================================================
--- libssh-0.6.3.orig/src/ecdh.c
+++ libssh-0.6.3/src/ecdh.c
@@ -83,6 +83,12 @@ int ssh_client_ecdh_init(ssh_session ses
       return SSH_ERROR;
   }
 
+  /* Free any previously allocated privkey */
+  if (session->next_crypto->ecdh_privkey != NULL) {
+      EC_KEY_free(session->next_crypto->ecdh_privkey);
+      session->next_crypto->ecdh_privkey = NULL;
+  }
+
   session->next_crypto->ecdh_privkey = key;
   session->next_crypto->ecdh_client_pubkey = client_pubkey;
 
@@ -143,8 +149,13 @@ static int ecdh_build_k(ssh_session sess
 
   bignum_bin2bn(buffer, len, session->next_crypto->k);
   free(buffer);
-  EC_KEY_free(session->next_crypto->ecdh_privkey);
-  session->next_crypto->ecdh_privkey=NULL;
+
+  /* Free any previously allocated privkey */
+  if (session->next_crypto->ecdh_privkey != NULL) {
+      EC_KEY_free(session->next_crypto->ecdh_privkey);
+      session->next_crypto->ecdh_privkey = NULL;
+  }
+
 #ifdef DEBUG_CRYPTO
     ssh_print_hexa("Session server cookie",
                    session->next_crypto->server_kex.cookie, 16);
@@ -271,6 +282,12 @@ int ssh_server_ecdh_init(ssh_session ses
                        ctx);
     BN_CTX_free(ctx);
 
+    /* Free any previously allocated privkey */
+    if (session->next_crypto->ecdh_privkey != NULL) {
+      EC_KEY_free(session->next_crypto->ecdh_privkey);
+      session->next_crypto->ecdh_privkey = NULL;
+    }
+
     session->next_crypto->ecdh_privkey = ecdh_key;
     session->next_crypto->ecdh_server_pubkey = q_s_string;