From 1f6d93f0c87a478e10591960e71fe9dce0a0ecf0 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Wed, 7 Sep 2022 13:52:58 +0100
Subject: [PATCH] Fix a batch of resource leaks spotted by Coverity.

---
 crypto/ntru.c      | 10 ++++++++--
 ssh/kex2-client.c  |  1 +
 unix/storage.c     |  2 ++
 windows/puttygen.c |  1 +
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/crypto/ntru.c b/crypto/ntru.c
index fb802694..edc57a91 100644
--- a/crypto/ntru.c
+++ b/crypto/ntru.c
@@ -1242,12 +1242,12 @@ ptrlen ntru_decode_pubkey(uint16_t *pubkey, unsigned p, unsigned q,
     } else {
         /* Do the decoding */
         ntru_decode(sched, pubkey, encoded);
-        ntru_encode_schedule_free(sched);
 
         /* Unbias the coefficients */
         ntru_bias(pubkey, pubkey, q-q/2, p, q);
     }
 
+    ntru_encode_schedule_free(sched);
     return encoded;
 }
 
@@ -1328,13 +1328,13 @@ ptrlen ntru_decode_ciphertext(uint16_t *ct, NTRUKeyPair *keypair,
     } else {
         /* Do the decoding */
         ntru_decode(sched, ct, encoded);
-        ntru_encode_schedule_free(sched);
 
         /* Undo the scaling and bias */
         ntru_scale(ct, ct, 3, p, q);
         ntru_bias(ct, ct, q - 3 * ciphertext_bias(q), p, q);
     }
 
+    ntru_encode_schedule_free(sched);
     return encoded;        /* also useful to the caller, optionally */
 }
 
@@ -1649,6 +1649,7 @@ static bool ssh_ntru_client_getkey(ecdh_key *dh, ptrlen remoteKey,
         if (!ok) {
             ssh_hash_free(h);
             smemclr(hashdata, sizeof(hashdata));
+            strbuf_free(otherkey);
             return false;
         }
 
@@ -1778,6 +1779,7 @@ static bool ssh_ntru_server_getkey(ecdh_key *dh, ptrlen remoteKey,
         ntru_encrypt(ciphertext, nk->plaintext, pubkey, p_LIVE, q_LIVE);
         ntru_encode_ciphertext(ciphertext, p_LIVE, q_LIVE,
                                BinarySink_UPCAST(nk->ciphertext_encoded));
+        ring_free(ciphertext, p_LIVE);
 
         /* Compute the confirmation hash, and write it into another
          * strbuf. */
@@ -1793,6 +1795,9 @@ static bool ssh_ntru_server_getkey(ecdh_key *dh, ptrlen remoteKey,
 
         /* And put the NTRU session hash into the main hash object. */
         put_data(h, hashdata, 32);
+
+        /* Now we can free the public key */
+        ring_free(pubkey, p_LIVE);
     }
 
     /*
@@ -1809,6 +1814,7 @@ static bool ssh_ntru_server_getkey(ecdh_key *dh, ptrlen remoteKey,
         if (!ok) {
             ssh_hash_free(h);
             smemclr(hashdata, sizeof(hashdata));
+            strbuf_free(otherkey);
             return false;
         }
 
diff --git a/ssh/kex2-client.c b/ssh/kex2-client.c
index 3fca162e..ca9fa505 100644
--- a/ssh/kex2-client.c
+++ b/ssh/kex2-client.c
@@ -962,6 +962,7 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
                 } else {
                     ppl_logevent("Rejected host key certificate: %s",
                                  error->s);
+                    strbuf_free(error);
                     /* now fall through into normal host key checking */
                 }
             }
diff --git a/unix/storage.c b/unix/storage.c
index a2456fc4..ca225732 100644
--- a/unix/storage.c
+++ b/unix/storage.c
@@ -679,6 +679,8 @@ host_ca *host_ca_load(const char *name)
         sfree(line);
     }
 
+    fclose(fp);
+
     if (eb) {
         if (!hca->validity_expression) {
             hca->validity_expression = cert_expr_expression(eb);
diff --git a/windows/puttygen.c b/windows/puttygen.c
index 52b1a9cb..143e7b5f 100644
--- a/windows/puttygen.c
+++ b/windows/puttygen.c
@@ -1256,6 +1256,7 @@ void add_certificate(HWND hwnd, struct MainDlgState *state,
         message_box(hwnd, msg, "PuTTYgen Error", MB_OK | MB_ICONERROR,
                     HELPCTXID(errors_cantloadkey));
         sfree(msg);
+        strbuf_free(pub);
         return;
     }