avoid leak of pubkey_options

fuzzer-pubkey.c

@@ -30,10 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		if (have_algo(algoname, algolen, sshhostkey) == DROPBEAR_FAILURE) {
 			dropbear_exit("fuzzer imagined a bogus algorithm");
 		}
-		fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys",
+
+		int ret = fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys",
 			algoname, algolen,
 			keyblob->data, keyblob->len);
 
+		if (ret == DROPBEAR_SUCCESS) {
+			/* fuzz_checkpubkey_line() should have cleaned up for failure */
+			svr_pubkey_options_cleanup();
+		}
+
 		buf_free(line);
 		buf_free(keyblob);
 		m_free(algoname);

svr-authpubkey.c

@@ -167,6 +167,10 @@ out:
 		sign_key_free(key);
 		key = NULL;
 	}
+	/* Retain pubkey options only if auth succeeded */
+	if (!ses.authstate.authdone) {
+		svr_pubkey_options_cleanup();
+	}
 	TRACE(("leave pubkeyauth"))
 }
 

svr-authpubkeyoptions.c

@@ -113,7 +113,6 @@ void svr_pubkey_options_cleanup() {
 			m_free(ses.authstate.pubkey_options->forced_command);
 		}
 		m_free(ses.authstate.pubkey_options);
-		ses.authstate.pubkey_options = NULL;
 	}
 }