diff options
| author | Damien Miller <djm@mindrot.org> | 2013-07-18 08:09:44 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-07-18 08:09:44 +0200 |
| commit | 3071070b39e6d1722151c754cdc2b26640eaf45e (patch) | |
| tree | 467608f0a4e1ebc4be86dfddb971082a3dad422b /krl.c | |
| parent | - guenther@cvs.openbsd.org 2013/06/17 04:48:42 (diff) | |
| download | openssh-3071070b39e6d1722151c754cdc2b26640eaf45e.tar.xz openssh-3071070b39e6d1722151c754cdc2b26640eaf45e.zip | |
- markus@cvs.openbsd.org 2013/06/20 19:15:06
[krl.c]
don't leak the rdata blob on errors; ok djm@
Diffstat (limited to '')
| -rw-r--r-- | krl.c | 19 |
1 files changed, 11 insertions, 8 deletions
@@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.11 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.12 2013/06/20 19:15:06 markus Exp $ */ #include "includes.h" @@ -887,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, char timestamp[64]; int ret = -1, r, sig_seen; Key *key = NULL, **ca_used = NULL; - u_char type, *blob; - u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; + u_char type, *blob, *rdata = NULL; + u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used; + nca_used = 0; *krlp = NULL; if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { @@ -1015,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, case KRL_SECTION_EXPLICIT_KEY: case KRL_SECTION_FINGERPRINT_SHA1: while (buffer_len(§) > 0) { - if ((blob = buffer_get_string_ret(§, - &blen)) == NULL) { + if ((rdata = buffer_get_string_ret(§, + &rlen)) == NULL) { error("%s: buffer error", __func__); goto out; } if (type == KRL_SECTION_FINGERPRINT_SHA1 && - blen != 20) { + rlen != 20) { error("%s: bad SHA1 length", __func__); goto out; } if (revoke_blob( type == KRL_SECTION_EXPLICIT_KEY ? &krl->revoked_keys : &krl->revoked_sha1s, - blob, blen) != 0) - goto out; /* revoke_blob frees blob */ + rdata, rlen) != 0) + goto out; + rdata = NULL; /* revoke_blob frees blob */ } break; case KRL_SECTION_SIGNATURE: @@ -1095,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, key_free(ca_used[i]); } free(ca_used); + free(rdata); if (key != NULL) key_free(key); buffer_free(©); |