From e9edbe8bb204b00c7f4b4fda7eeee9d0177934ae Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Tue, 6 Mar 2018 22:18:20 +0800
Subject: [PATCH] avoid leak of pubkey_options

---
 fuzzer-pubkey.c         | 8 +++++++-
 svr-authpubkey.c        | 4 ++++
 svr-authpubkeyoptions.c | 1 -
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/fuzzer-pubkey.c b/fuzzer-pubkey.c
index a062e1f..033f496 100644
--- a/fuzzer-pubkey.c
+++ b/fuzzer-pubkey.c
@@ -30,10 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		if (have_algo(algoname, algolen, sshhostkey) == DROPBEAR_FAILURE) {
 			dropbear_exit("fuzzer imagined a bogus algorithm");
 		}
-		fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys",
+
+		int ret = fuzz_checkpubkey_line(line, 5, "/home/me/authorized_keys",
 			algoname, algolen,
 			keyblob->data, keyblob->len);
 
+		if (ret == DROPBEAR_SUCCESS) {
+			/* fuzz_checkpubkey_line() should have cleaned up for failure */
+			svr_pubkey_options_cleanup();
+		}
+
 		buf_free(line);
 		buf_free(keyblob);
 		m_free(algoname);
diff --git a/svr-authpubkey.c b/svr-authpubkey.c
index 0ca0ea4..e97b158 100644
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -167,6 +167,10 @@ out:
 		sign_key_free(key);
 		key = NULL;
 	}
+	/* Retain pubkey options only if auth succeeded */
+	if (!ses.authstate.authdone) {
+		svr_pubkey_options_cleanup();
+	}
 	TRACE(("leave pubkeyauth"))
 }
 
diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c
index 19f07b9..9498b64 100644
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -113,7 +113,6 @@ void svr_pubkey_options_cleanup() {
 			m_free(ses.authstate.pubkey_options->forced_command);
 		}
 		m_free(ses.authstate.pubkey_options);
-		ses.authstate.pubkey_options = NULL;
 	}
 }