From ed4c38ba467618a7193f4e5dec1d5f0169e0c227 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Wed, 7 Mar 2018 22:14:36 +0800
Subject: [PATCH] fix leak in option handling

---
 svr-authpubkeyoptions.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c
index 9498b64..ba6f698 100644
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -168,6 +168,12 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
 		if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
 			int escaped = 0;
 			const unsigned char* command_start = buf_getptr(options_buf, 0);
+
+			if (ses.authstate.pubkey_options->forced_command) {
+				/* multiple command= options */
+				goto bad_option;
+			}
+
 			while (options_buf->pos < options_buf->len) {
 				const char c = buf_getbyte(options_buf);
 				if (!escaped && c == '"') {