avoid leak of pubkey_options

mkj · Mar 6, 2018 · e9edbe8 · e9edbe8
1 parent 4fd3160
commit e9edbe8
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/fuzzer-pubkey.c b/fuzzer-pubkey.c
@@ -30,10 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		if (have_algo(algoname, algolen, sshhostkey) == DROPBEAR_FAILURE) {
 			dropbear_exit("fuzzer imagined a bogus algorithm");
 		}
-		fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys",
+
+		int ret = fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys",
 			algoname, algolen,
 			keyblob->data, keyblob->len);
 
+		if (ret == DROPBEAR_SUCCESS) {
+			/* fuzz_checkpubkey_line() should have cleaned up for failure */
+			svr_pubkey_options_cleanup();
+		}
+
 		buf_free(line);
 		buf_free(keyblob);
 		m_free(algoname);

diff --git a/svr-authpubkey.c b/svr-authpubkey.c
@@ -167,6 +167,10 @@ void svr_auth_pubkey() {
 		sign_key_free(key);
 		key = NULL;
 	}
+	/* Retain pubkey options only if auth succeeded */
+	if (!ses.authstate.authdone) {
+		svr_pubkey_options_cleanup();
+	}
 	TRACE(("leave pubkeyauth"))
 }
 

diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c
@@ -113,7 +113,6 @@ void svr_pubkey_options_cleanup() {
 			m_free(ses.authstate.pubkey_options->forced_command);
 		}
 		m_free(ses.authstate.pubkey_options);
-		ses.authstate.pubkey_options = NULL;
 	}
 }