From c46da2f079cd28503f7b3fac5734bf6863858257 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 20 Dec 2014 18:43:46 +0000
Subject: [PATCH] Fix memory management in bignum_random_in_range.

We were allocating a new array in which to make up a random number
every time we went round the loop, and not freeing any of them. Now we
allocate a single array to use for all loop iterations, and clear and
free it properly afterwards.

Patch due to Tim Kosse.
---
 sshbn.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sshbn.c b/sshbn.c
index b40781ff..42923ac0 100644
--- a/sshbn.c
+++ b/sshbn.c
@@ -1236,18 +1236,18 @@ Bignum bignum_from_bytes(const unsigned char *data, int nbytes)
 Bignum bignum_random_in_range(const Bignum lower, const Bignum upper)
 {
     Bignum ret = NULL;
+    unsigned char *bytes;
     int upper_len = bignum_bitcount(upper);
     int upper_bytes = upper_len / 8;
     int upper_bits = upper_len % 8;
     if (upper_bits) ++upper_bytes;
 
+    bytes = snewn(upper_bytes, unsigned char);
     do {
-        unsigned char *bytes;
         int i;
 
         if (ret) freebn(ret);
 
-        bytes = snewn(upper_bytes, unsigned char);
         for (i = 0; i < upper_bytes; ++i)
         {
             bytes[i] = (unsigned char)random_byte();
@@ -1260,6 +1260,7 @@ Bignum bignum_random_in_range(const Bignum lower, const Bignum upper)
 
         ret = bignum_from_bytes(bytes, upper_bytes);
     } while (bignum_cmp(ret, lower) < 0 || bignum_cmp(ret, upper) > 0);
+    sfree(bytes);
 
     return ret;
 }