From 869ce8867ee445bf904f0130d7ef6788bc9538a5 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sun, 30 Dec 2018 13:16:28 +0000
Subject: [PATCH] Fix use after free in ssh1login.

I was freeing the textual key fingerprint _before_ passing it to
seat_verify_ssh_host_key. Ahem.
---
 ssh1login.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssh1login.c b/ssh1login.c
index d3555130..bb77d569 100644
--- a/ssh1login.c
+++ b/ssh1login.c
@@ -230,8 +230,8 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
 
         /* First check against manually configured host keys. */
         s->dlgret = verify_ssh_manual_host_key(s->conf, fingerprint, NULL);
-        sfree(fingerprint);
         if (s->dlgret == 0) {          /* did not match */
+            sfree(fingerprint);
             sfree(keystr);
             ssh_proto_error(s->ppl.ssh, "Host key did not appear in manually "
                             "configured list");
@@ -240,6 +240,7 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
             s->dlgret = seat_verify_ssh_host_key(
                 s->ppl.seat, s->savedhost, s->savedport,
                 "rsa", keystr, fingerprint, ssh1_login_dialog_callback, s);
+            sfree(fingerprint);
             sfree(keystr);
 #ifdef FUZZING
             s->dlgret = 1;