Fix two double-frees in ssh2_load_userkey().

We should NULL out mac after freeing it, so that the cleanup code
doesn't try to free it again; also if the final key creation fails, we
should avoid freeing ret->comment when we're going to go to that same
cleanup code which will free 'comment' which contains the same pointer.

Thanks to Christopher Staite for pointing these out.

diff --git a/sshpubk.c b/sshpubk.c
index cf9e44b365e1da223e4ac369e34a825ca45c3ae0..87f1ebf3db179abbbec1c5fa996e3cb3505d49b3 100644 (file)
--- a/sshpubk.c
+++ b/sshpubk.c
@@ -779,6 +779,7 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
        }
     }
     sfree(mac);
+    mac = NULL;
 
     /*
      * Create and return the key.
@@ -789,7 +790,6 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
     ret->data = alg->createkey(public_blob, public_blob_len,
                               private_blob, private_blob_len);
     if (!ret->data) {
-       sfree(ret->comment);
        sfree(ret);
        ret = NULL;
        error = "createkey failed";