[PATCH] leak in ssh_set_newkeys()

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 




Bugzilla # 2942 (https://bugzilla.mindrot.org/show_bug.cgi?id=2942)


During initialization a memory leak occurs in
ssh_set_newkeys().

During startup ssh_set_newkeys() is called twice, once with MODE_OUT and once with MODE_IN.

Accordingly the ccp pointer points to state->send_context and state->receive_context

At this time state->newkeys[mode] is stil NULL, so the if-clause ("rekeying") does not apply.

Further down cipher_init(ccp, ...) is called.

First thing that cipher_init() does is setting *ccp= NULL; which is be equivalent to "state->send_context= NULL" (or "state->send_context= NULL").

These point to memory blocks already.
The pointers are lost, the memory leaks.


Proposal: move

		cipher_free(*ccp);
		*ccp = NULL;

from the "rekeying" if-clause and place these two lines before calling cipher_init().


A more conservative approach would be to add

          if (*ccp!=NULL) {
		cipher_free(*ccp);
		*ccp = NULL;
          }

before calling cipher_init().





diff --git a/packet.c b/packet.c
index dcf35e6..3a5a735 100644
--- a/packet.c
+++ b/packet.c
@@ -858,8 +858,6 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 		   (unsigned long long)state->p_read.blocks,
 		   (unsigned long long)state->p_send.bytes,
 		   (unsigned long long)state->p_send.blocks);
-		cipher_free(*ccp);
-		*ccp = NULL;
 		kex_free_newkeys(state->newkeys[mode]);
 		state->newkeys[mode] = NULL;
 	}
@@ -878,6 +876,8 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 	}
 	mac->enabled = 1;
 	DBG(debug("cipher_init_context: %d", mode));
+	cipher_free(*ccp);
+	*ccp = NULL;
 	if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len,
 	    enc->iv, enc->iv_len, crypt_type)) != 0)
 		return r;

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux