Title: Variable "Ccname" Going Out of Scope Leaks the Storage It Points To.

Defect Dojo link: https://defectdojo.prodsec.redhat.com/finding/2611 (2611)

Severity: High

Due Date: Feb. 8, 2024

CWE: CWE-772

CVE: CVE-XXXX

Product/Engagement/Test: rhel-8/openssh / openssh-8.0p1-23.el8 / OSH-SCAN (csmock Scan (SARIF))

Source File: openssh-8.0p1/auth-krb5.c

Source Line: 436

Description:
*Result message:* Variable "ccname" going out of scope leaks the storage it points to.
*Snippet:*
```Problem detected in this context:
434| logit("fchmod(): %.100s", strerror(oerrno));
435| close(tmpfd);
436|-> return oerrno;
437| }
438| /* make sure the KRB5CCNAME is set for non-standard location */```
*Code flow:*
1. openssh-8.0p1/auth-krb5.c:L409
Condition "need_environment", taking true branch.
2. openssh-8.0p1/auth-krb5.c:L412
Condition "ret", taking false branch.
3. openssh-8.0p1/auth-krb5.c:L412
Condition "!ccname", taking true branch.
4. openssh-8.0p1/auth-krb5.c:L414
Condition "ccname", taking false branch.
5. openssh-8.0p1/auth-krb5.c:L418
"asprintf" allocates memory that is stored into "ccname". [Note: The source code implementation of the function has been overridden by a builtin model.]
6. openssh-8.0p1/auth-krb5.c:L420
Condition "ret < 0", taking false branch.
7. openssh-8.0p1/auth-krb5.c:L424
Resource "ccname + strlen("FILE:")" is not freed or pointed-to in "mkstemp". [Note: The source code implementation of the function has been overridden by a builtin model.]
8. openssh-8.0p1/auth-krb5.c:L427
Condition "tmpfd == -1", taking false branch.
9. openssh-8.0p1/auth-krb5.c:L432
Condition "fchmod(tmpfd, 384U /* 0x100 | 0x80 */) == -1", taking true branch.
10. openssh-8.0p1/auth-krb5.c:L436
Variable "ccname" going out of scope leaks the storage it points to.

References:
https://cwe.mitre.org/data/definitions/772.html

Reporter: (ccota) (ccota@redhat.com)