fix leak of CanonicalizePermittedCNAMEs on error path; spotted

by Coverity (CID 438039)

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 71ef905..101d878 100644 (file)
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.385 2024/03/04 02:16:11 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.386 2024/03/04 04:13:18 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -867,6 +867,20 @@ parse_token(const char *cp, const char *filename, int linenum,
        return oBadOption;
 }
 
+static void
+free_canon_cnames(struct allowed_cname *cnames, u_int n)
+{
+       u_int i;
+
+       if (cnames == NULL || n == 0)
+               return;
+       for (i = 0; i < n; i++) {
+               free(cnames[i].source_list);
+               free(cnames[i].target_list);
+       }
+       free(cnames);
+}
+
 /* Multistate option parsing */
 struct multistate {
        char *key;
@@ -2137,13 +2151,10 @@ parse_pubkey_algos:
                if (found && *activep) {
                        options->permitted_cnames = cnames;
                        options->num_permitted_cnames = ncnames;
-               } else {
-                       for (i = 0; i < ncnames; i++) {
-                               free(cnames[i].source_list);
-                               free(cnames[i].target_list);
-                       }
-                       free(cnames);
+                       cnames = NULL; /* transferred */
+                       ncnames = 0;
                }
+               /* un-transferred cnames is cleaned up before exit */
                break;
 
        case oCanonicalizeHostname:
@@ -2382,6 +2393,7 @@ parse_pubkey_algos:
        /* success */
        ret = 0;
  out:
+       free_canon_cnames(cnames, ncnames);
        opt_array_free2(strs, NULL, nstrs);
        argv_free(oav, oac);
        return ret;