Joe Yates's memory leak patch was overenthusiastically freeing

things; it called freebn on the DH gex values even if DH gex had not
taken place. Bug was trivially reproducible as a NULL-dereference
segfault by making any SSH2 connection with DH gex disabled. Should
now be fixed.

[originally from svn r3678]

diff --git a/ssh.c b/ssh.c
index 1d8872304c5faeec64b27060b95ad2739930a697..61786b1085323ea1fffcf7827413208a65694924 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -4356,9 +4356,11 @@ static int do_ssh2_transport(Ssh ssh, unsigned char *in, int inlen, int ispkt)
        logeventf(ssh, "Initialised %s decompression",
                  ssh->sccomp->text_name);
     freebn(s->f);
-    freebn(s->g);
     freebn(s->K);
-    freebn(s->p);
+    if (ssh->kex == &ssh_diffiehellman_gex) {
+       freebn(s->g);
+       freebn(s->p);
+    }
 
     /*
      * If this is the first key exchange phase, we must pass the