1 files changed, 88 insertions, 0 deletions

diff --git a/backport-upstream-Always-return-allocated-strings-from-the-ke.patch b/backport-upstream-Always-return-allocated-strings-from-the-ke.patch
new file mode 100644
index 0000000..b7febc9
--- /dev/null
+++ b/backport-upstream-Always-return-allocated-strings-from-the-ke.patch
@@ -0,0 +1,88 @@
+From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Fri, 1 Jul 2022 03:35:45 +0000
+Subject: upstream: Always return allocated strings from the kex filtering so
+
+that we can free them later.  Fix one leak in compat_kex_proposal.  Based on
+github PR#324 from ZoltanFridrich with some simplications by me. ok djm@
+
+OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946
+---
+ compat.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/compat.c b/compat.c
+index 9120bd2..1d50349 100644
+--- a/compat.c
++++ b/compat.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
++/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
+ /*
+  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
+  *
+@@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version)
+ 	debug_f("no match: %s", version);
+ }
+ 
++/* Always returns pointer to allocated memory, caller must free. */
+ char *
+ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
+ {
+ 	if (!(ssh->compat & SSH_BUG_BIGENDIANAES))
+-		return cipher_prop;
++		return xstrdup(cipher_prop);
+ 	debug2_f("original cipher proposal: %s", cipher_prop);
+ 	if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL)
+ 		fatal("match_filter_denylist failed");
+@@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
+ 	return cipher_prop;
+ }
+ 
++/* Always returns pointer to allocated memory, caller must free. */
+ char *
+ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ {
+ 	if (!(ssh->compat & SSH_BUG_RSASIGMD5))
+-		return pkalg_prop;
++		return xstrdup(pkalg_prop);
+ 	debug2_f("original public key proposal: %s", pkalg_prop);
+ 	if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
+ 		fatal("match_filter_denylist failed");
+@@ -184,11 +186,15 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ 	return pkalg_prop;
+ }
+ 
++/* Always returns pointer to allocated memory, caller must free. */
+ char *
+ compat_kex_proposal(struct ssh *ssh, char *p)
+ {
++	char *cp = NULL;
++
++
+ 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+-		return p;
++		return xstrdup(p);
+ 	debug2_f("original KEX proposal: %s", p);
+ 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+ 		/* coverity[overwrite_var : FALSE] */
+@@ -196,11 +202,13 @@ compat_kex_proposal(struct ssh *ssh, char *p)
+ 		    "curve25519-sha256@libssh.org")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
++		cp = p;
+ 		/* coverity[overwrite_var : FALSE] */
+ 		if ((p = match_filter_denylist(p,
+ 		    "diffie-hellman-group-exchange-sha256,"
+ 		    "diffie-hellman-group-exchange-sha1")) == NULL)
+ 			fatal("match_filter_denylist failed");
++		free(cp);
+ 	}
+ 	debug2_f("compat KEX proposal: %s", p);
+ 	if (*p == '\0')
+-- 
+2.33.0
+