From d624ae2ab5090c1c14db2b329df1cd4eb71db621 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 8 Oct 2018 19:25:57 +0100
Subject: [PATCH] Fix double-free bug in (non-EC) Diffie-Hellman.

The variable s->e in ssh2_transport_state should never be freed by
ssh2transport itself, because it's owned by the dh_ctx, so it will be
freed by dh_cleanup.
---
 ssh2transport.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/ssh2transport.c b/ssh2transport.c
index a058f752..0b1f6506 100644
--- a/ssh2transport.c
+++ b/ssh2transport.c
@@ -395,7 +395,6 @@ static void ssh2_transport_free(PacketProtocolLayer *ppl)
         ssh_key_free(s->hkey);
         s->hkey = NULL;
     }
-    if (s->e) freebn(s->e);
     if (s->f) freebn(s->f);
     if (s->p) freebn(s->p);
     if (s->g) freebn(s->g);
@@ -1368,7 +1367,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
         dh_cleanup(s->dh_ctx);
         s->dh_ctx = NULL;
         freebn(s->f); s->f = NULL;
-        freebn(s->e); s->e = NULL;
         if (dh_is_gex(s->kex_alg)) {
             freebn(s->g); s->g = NULL;
             freebn(s->p); s->p = NULL;
@@ -1690,7 +1688,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
         dh_cleanup(s->dh_ctx);
         s->dh_ctx = NULL;
         freebn(s->f); s->f = NULL;
-        freebn(s->e); s->e = NULL;
         if (dh_is_gex(s->kex_alg)) {
             freebn(s->g); s->g = NULL;
             freebn(s->p); s->p = NULL;