From d41e0f8f7c0007cf4ebb62e82a286158d90ec631 Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Sun, 17 Feb 2019 04:29:56 +0800
Subject: [PATCH] sshd: explicitly transfer free responsibility when adopting
 last_alloc

---
 plugins/ssh-base/sshd.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/plugins/ssh-base/sshd.c b/plugins/ssh-base/sshd.c
index 638fba455..62e0151af 100644
--- a/plugins/ssh-base/sshd.c
+++ b/plugins/ssh-base/sshd.c
@@ -1015,12 +1015,14 @@ again:
 
 		case SSHS_DO_UAR_SVC:
 			pss->ua->username = (char *)pss->last_alloc;
+			pss->last_alloc = NULL; /* it was adopted */
 			state_get_string_alloc(pss, SSHS_DO_UAR_PUBLICKEY);
 			/* destroyed with UA struct */
 			break;
 
 		case SSHS_DO_UAR_PUBLICKEY:
 			pss->ua->service = (char *)pss->last_alloc;
+			pss->last_alloc = NULL; /* it was adopted */
 
 			/* Sect 5, RFC4252
 			 *
@@ -1082,6 +1084,7 @@ again:
 
 		case SSHS_NVC_DO_UAR_ALG:
 			pss->ua->alg = (char *)pss->last_alloc;
+			pss->last_alloc = NULL; /* it was adopted */
 			if (rsa_hash_alg_from_ident(pss->ua->alg) < 0) {
 				lwsl_notice("unknown alg\n");
 				goto ua_fail;
@@ -1092,7 +1095,7 @@ again:
 
 		case SSHS_NVC_DO_UAR_PUBKEY_BLOB:
 			pss->ua->pubkey = pss->last_alloc;
-			pss->last_alloc = NULL;
+			pss->last_alloc = NULL; /* it was adopted */
 			pss->ua->pubkey_len = pss->npos;
 			/*
 			 * RFC4253
@@ -1150,7 +1153,7 @@ again:
 			}
 			lwsl_info("SSHS_DO_UAR_SIG\n");
 			pss->ua->sig = pss->last_alloc;
-			pss->last_alloc = NULL;
+			pss->last_alloc = NULL; /* it was adopted */
 			pss->ua->sig_len = pss->npos;
 			pss->parser_state = SSHS_MSG_EAT_PADDING;
 
@@ -1334,6 +1337,7 @@ again:
 
 		case SSHS_NVC_DISCONNECT_DESC:
 			pss->disconnect_desc = (char *)pss->last_alloc;
+			pss->last_alloc = NULL; /* it was adopted */
 			state_get_string(pss, SSHS_NVC_DISCONNECT_LANG);
 			break;
 
@@ -1500,12 +1504,13 @@ again:
 		case SSHS_NVC_CHRQ_MODES:
 			/* modes is a stream of byte-pairs, not a string */
 			pss->args.pty.modes = (char *)pss->last_alloc;
+			pss->last_alloc = NULL; /* it was adopted */
 			pss->args.pty.modes_len = pss->npos;
 			n = 0;
 			if (pss->vhd->ops && pss->vhd->ops->pty_req)
 				n = pss->vhd->ops->pty_req(pss->ch_temp->priv,
 							&pss->args.pty);
-			ssh_free_set_NULL(pss->last_alloc);
+			ssh_free_set_NULL(pss->args.pty.modes);
 			if (n)
 				goto chrq_fail;
 			if (pss->rq_want_reply)