1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Fix a more complicated memory leak.

The field s->username in the ssh2userauth state was sometimes a
secondary reference to s->default_username, and sometimes a
dynamically allocated string. So not freeing it can leak memory, but
freeing it (if non-null) can cause a double-free crash.

Solution: add a new field s->locally_allocated_username which is the
thing that needs freeing (if any), and make s->username into a const
char * which is always a secondary reference to _something_.
This commit is contained in:
Simon Tatham 2019-07-06 18:06:04 +01:00
parent e0b811cc1f
commit d7f254fdb0

View File

@ -58,7 +58,8 @@ struct ssh2_userauth_state {
bool kbd_inter_refused; bool kbd_inter_refused;
prompts_t *cur_prompt; prompts_t *cur_prompt;
int num_prompts; int num_prompts;
char *username; const char *username;
char *locally_allocated_username;
char *password; char *password;
bool got_username; bool got_username;
strbuf *publickey_blob; strbuf *publickey_blob;
@ -176,6 +177,7 @@ static void ssh2_userauth_free(PacketProtocolLayer *ppl)
agent_cancel_query(s->auth_agent_query); agent_cancel_query(s->auth_agent_query);
filename_free(s->keyfile); filename_free(s->keyfile);
sfree(s->default_username); sfree(s->default_username);
sfree(s->locally_allocated_username);
sfree(s->hostname); sfree(s->hostname);
sfree(s->fullhostname); sfree(s->fullhostname);
sfree(s->publickey_comment); sfree(s->publickey_comment);
@ -428,7 +430,9 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
ssh_user_close(s->ppl.ssh, "No username provided"); ssh_user_close(s->ppl.ssh, "No username provided");
return; return;
} }
s->username = dupstr(s->cur_prompt->prompts[0]->result); sfree(s->locally_allocated_username); /* for change_username */
s->username = s->locally_allocated_username =
dupstr(s->cur_prompt->prompts[0]->result);
free_prompts(s->cur_prompt); free_prompts(s->cur_prompt);
} else { } else {
if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE))