69c72a57af
As Coverity reports: Overwriting tmp in tmp = make_absolute_pwd_glob(tmp, remote_path) leaks the storage that tmp points to. Consume the first arg in make_absolute_pwd_glob, and add xstrdup() to the one case which did not assign to the same variable that was passed in. With this change make_absolute() and make_absolute_pwd_glob() have the same semantics with respect to freeing the input string. This change was reported to OpenSSH in https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-November/040497.html but was not acted on. It appears that OpenBSD subsequently received a Coverity report for the same issue (their Coverity ID 405196) but fixed only the specific instance reported by Coverity. This change reverts OpenBSD's sftp.c 1.228 / OpenSSH-portable commit 36c6c3eff5e4. Reported by: Coverity Scan CID: 1500409 Reviewed by: markj MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37253 |
||
---|---|---|
.. | ||
heimdal | ||
openssh | ||
openssl | ||
README |
$FreeBSD$ This directory is for the EXACT same use as src/contrib, except it holds crypto sources. In other words, this holds raw sources obtained from various third party vendors, with FreeBSD patches applied. No compilation is done from this directory, it is all done from the src/secure directory. The separation between src/contrib and src/crypto is the result of an old USA law, which made these sources export controlled, so they had to be kept separate.