From aed9d7a84da4fb4c9e0934475655811416684902 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 19 Jun 2013 12:24:00 +0200
Subject: [PATCH] agent: Fix a possible memory leak.

---
 src/agent.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/agent.c b/src/agent.c
index 897641b1..b962a8e3 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -271,6 +271,7 @@ int ssh_agent_get_ident_count(struct ssh_session_struct *session) {
   unsigned int type = 0;
   unsigned int c1 = 0, c2 = 0;
   uint8_t buf[4] = {0};
+  int rc;
 
   switch (session->version) {
     case 1:
@@ -312,16 +313,26 @@ int ssh_agent_get_ident_count(struct ssh_session_struct *session) {
   ssh_buffer_free(request);
 
   /* get message type and verify the answer */
-  buffer_get_u8(reply, (uint8_t *) &type);
+  rc = buffer_get_u8(reply, (uint8_t *) &type);
+  if (rc != sizeof(uint8_t)) {
+    ssh_set_error(session, SSH_FATAL,
+        "Bad authentication reply size: %d", rc);
+    ssh_buffer_free(reply);
+    return -1;
+  }
+
   SSH_LOG(session, SSH_LOG_WARN,
       "Answer type: %d, expected answer: %d",
       type, c2);
+
   if (agent_failed(type)) {
-    return 0;
+      ssh_buffer_free(reply);
+      return 0;
   } else if (type != c2) {
-    ssh_set_error(session, SSH_FATAL,
-        "Bad authentication reply message type: %d", type);
-    return -1;
+      ssh_set_error(session, SSH_FATAL,
+          "Bad authentication reply message type: %d", type);
+      ssh_buffer_free(reply);
+      return -1;
   }
 
   buffer_get_u32(reply, (uint32_t *) buf);