Overview

File 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch of Package libssh.1120

From f12bf9ee2f05af398d341c6836f157cc6598f564 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 5 Oct 2012 14:46:36 +0200
Subject: [PATCH 09/11] CVE-2012-4559: Make sure we don't free name and
 longname twice on error.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit f6e6f3e5e5c5242df1e0bf7d9311eba6e8ba376a)
---
 src/sftp.c |   26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/sftp.c b/src/sftp.c
index 99798e7..127d062 100644
--- a/src/sftp.c
+++ b/src/sftp.c
@@ -1193,8 +1193,8 @@ static char *sftp_parse_longname(const char *longname,
                    so that number of pairs equals extended_count              */
 static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
     int expectname) {
-  ssh_string longname = NULL;
-  ssh_string name = NULL;
+  ssh_string longname;
+  ssh_string name;
   sftp_attributes attr;
   uint32_t flags = 0;
   int ok = 0;
@@ -1209,19 +1209,27 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
   /* This isn't really a loop, but it is like a try..catch.. */
   do {
     if (expectname) {
-      if ((name = buffer_get_ssh_string(buf)) == NULL ||
-          (attr->name = ssh_string_to_char(name)) == NULL) {
-        break;
+      name = buffer_get_ssh_string(buf);
+      if (name == NULL) {
+          break;
       }
+      attr->name = ssh_string_to_char(name);
       ssh_string_free(name);
+      if (attr->name == NULL) {
+          break;
+      }
 
       ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name);
 
-      if ((longname=buffer_get_ssh_string(buf)) == NULL ||
-          (attr->longname=ssh_string_to_char(longname)) == NULL) {
-        break;
+      longname = buffer_get_ssh_string(buf);
+      if (longname == NULL) {
+          break;
       }
+      attr->longname = ssh_string_to_char(longname);
       ssh_string_free(longname);
+      if (attr->longname == NULL) {
+        break;
+      }
 
       /* Set owner and group if we talk to openssh and have the longname */
       if (ssh_get_openssh_version(sftp->session)) {
@@ -1326,8 +1334,6 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
 
   if (!ok) {
     /* break issued somewhere */
-    ssh_string_free(name);
-    ssh_string_free(longname);
     ssh_string_free(attr->extended_type);
     ssh_string_free(attr->extended_data);
     SAFE_FREE(attr->name);
-- 
1.7.10.4
openSUSE Build Service is sponsored by
Places