Fix possible memory corruption (#14)

Signed-off-by: Andreas Schneider <mail@cynapses.org>

libssh/agent.c

@@ -327,7 +327,7 @@ int agent_get_ident_count(struct ssh_session_struct *session) {
   }
 
   if (session->agent->ident) {
-    buffer_free(session->agent->ident);
+    buffer_reinit(session->agent->ident);
   }
   session->agent->ident = reply;
 

libssh/auth.c

@@ -268,7 +268,7 @@ int ssh_userauth_none(SSH_SESSION *session, const char *username) {
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(service);
   string_free(method);
   string_free(user);
@@ -382,7 +382,7 @@ int ssh_userauth_offer_pubkey(SSH_SESSION *session, const char *username,
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(user);
   string_free(method);
   string_free(service);
@@ -503,7 +503,7 @@ int ssh_userauth_pubkey(SSH_SESSION *session, const char *username,
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(user);
   string_free(service);
   string_free(method);
@@ -627,7 +627,7 @@ int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username,
 
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(sign);
   string_free(user);
   string_free(service);
@@ -739,7 +739,7 @@ int ssh_userauth_password(SSH_SESSION *session, const char *username,
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(user);
   string_free(service);
   string_free(method);
@@ -1137,7 +1137,7 @@ static int kbdauth_init(SSH_SESSION *session, const char *user,
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(usr);
   string_free(service);
   string_free(method);
@@ -1304,7 +1304,7 @@ static int kbdauth_send(SSH_SESSION *session) {
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_burn(answer);
   string_free(answer);
 

libssh/channels.c

@@ -280,7 +280,7 @@ static int grow_window(SSH_SESSION *session, ssh_channel channel, int minimumsiz
   leave_function();
   return 0;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
 
   leave_function();
   return -1;
@@ -799,7 +799,7 @@ int channel_send_eof(ssh_channel channel){
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
 
   leave_function();
   return rc;
@@ -852,7 +852,7 @@ int channel_close(ssh_channel channel){
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
 
   leave_function();
   return rc;
@@ -935,7 +935,7 @@ int channel_write_common(ssh_channel channel, const void *data,
   leave_function();
   return origlen;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
 
   leave_function();
   return SSH_ERROR;
@@ -1074,7 +1074,7 @@ static int channel_request(ssh_channel channel, const char *request,
   leave_function();
   return rc;
 error:
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->out_buffer);
   string_free(req);
 
   leave_function();

libssh/dh.c

@@ -626,20 +626,20 @@ int hashbufout_add_cookie(SSH_SESSION *session) {
   }
 
   if (buffer_add_u8(session->out_hashbuf, 20) < 0) {
-    buffer_free(session->out_hashbuf);
+    buffer_reinit(session->out_hashbuf);
     return -1;
   }
 
   if (session->server) {
     if (buffer_add_data(session->out_hashbuf,
           session->server_kex.cookie, 16) < 0) {
-      buffer_free(session->out_hashbuf);
+      buffer_reinit(session->out_hashbuf);
       return -1;
     }
   } else {
     if (buffer_add_data(session->out_hashbuf,
           session->client_kex.cookie, 16) < 0) {
-      buffer_free(session->out_hashbuf);
+      buffer_reinit(session->out_hashbuf);
       return -1;
     }
   }
@@ -654,11 +654,11 @@ int hashbufin_add_cookie(SSH_SESSION *session, unsigned char *cookie) {
   }
 
   if (buffer_add_u8(session->in_hashbuf, 20) < 0) {
-    buffer_free(session->in_hashbuf);
+    buffer_reinit(session->in_hashbuf);
     return -1;
   }
   if (buffer_add_data(session->in_hashbuf,cookie, 16) < 0) {
-    buffer_free(session->in_hashbuf);
+    buffer_reinit(session->in_hashbuf);
     return -1;
   }
 

libssh/kex.c

@@ -421,8 +421,8 @@ int ssh_send_kex(SSH_SESSION *session, int server_kex) {
   leave_function();
   return 0;
 error:
-  buffer_free(session->out_buffer);
-  buffer_free(session->out_hashbuf);
+  buffer_reinit(session->out_buffer);
+  buffer_reinit(session->out_hashbuf);
   string_free(str);
 
   leave_function();

libssh/server.c

@@ -423,7 +423,7 @@ static int dh_handshake_server(SSH_SESSION *session) {
       buffer_add_ssh_string(session->out_buffer, f) < 0 ||
       buffer_add_ssh_string(session->out_buffer, sign) < 0) {
     ssh_set_error(session, SSH_FATAL, "Not enough space");
-    buffer_free(session->out_buffer);
+    buffer_reinit(session->out_buffer);
     string_free(f);
     string_free(sign);
     return -1;
@@ -436,7 +436,7 @@ static int dh_handshake_server(SSH_SESSION *session) {
   }
 
   if (buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
-    buffer_free(session->out_buffer);
+    buffer_reinit(session->out_buffer);
     return -1;
   }
 

libssh/session.c

@@ -97,8 +97,8 @@ void ssh_cleanup(SSH_SESSION *session) {
   SAFE_FREE(session->serverbanner);
   SAFE_FREE(session->clientbanner);
   SAFE_FREE(session->banner);
-  buffer_free(session->in_buffer);
-  buffer_free(session->out_buffer);
+  buffer_reinit(session->in_buffer);
+  buffer_reinit(session->out_buffer);
   crypto_free(session->current_crypto);
   crypto_free(session->next_crypto);
   ssh_socket_free(session->socket);