nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-04-10 15:48:06 -05:00
Code Issues Projects Releases Wiki Activity

Fix double-free bug in (non-EC) Diffie-Hellman.

Browse Source 
The variable s->e in ssh2_transport_state should never be freed by
ssh2transport itself, because it's owned by the dh_ctx, so it will be
freed by dh_cleanup.
This commit is contained in:
Simon Tatham 2018-10-08 19:25:57 +01:00
parent e3e434537d
commit d624ae2ab5
1 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ssh2transport.c
View File

@ -395,7 +395,6 @@ static void ssh2_transport_free(PacketProtocolLayer *ppl)
ssh_key_free(s->hkey);
s->hkey = NULL;
}
if (s->e) freebn(s->e);
if (s->f) freebn(s->f);
if (s->p) freebn(s->p);
if (s->g) freebn(s->g);
@ -1368,7 +1367,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
dh_cleanup(s->dh_ctx);
s->dh_ctx = NULL;
freebn(s->f); s->f = NULL;
freebn(s->e); s->e = NULL;
if (dh_is_gex(s->kex_alg)) {
freebn(s->g); s->g = NULL;
freebn(s->p); s->p = NULL;
@ -1690,7 +1688,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
dh_cleanup(s->dh_ctx);
s->dh_ctx = NULL;
freebn(s->f); s->f = NULL;
freebn(s->e); s->e = NULL;
if (dh_is_gex(s->kex_alg)) {
freebn(s->g); s->g = NULL;
freebn(s->p); s->p = NULL;