-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Title: Variable "Opt" Going Out of Scope Leaks the Storage It Points To.
Defect Dojo link: https://defectdojo.prodsec.redhat.com/finding/2612 (2612)
Severity: High
Due Date: Feb. 8, 2024
CWE: CWE-772
CVE: Unknown
Product/Engagement/Test: rhel-8/openssh / openssh-8.0p1-23.el8 / OSH-SCAN (csmock Scan (SARIF))
Source File: openssh-8.0p1/auth-options.c
Source Line: 337
Description:
*Result message:* Variable "opt" going out of scope leaks the storage it points to.
*Snippet:*
```Problem detected in this context:
335| if (asprintf(&tmp, "*:%s", opt) < 0)
339| free(opt);```
*Code flow:*
1. openssh-8.0p1/auth-options.c:L323
Condition "npermits > 2147483647", taking false branch.
2. openssh-8.0p1/auth-options.c:L327
Storage is returned from allocation function "opt_dequote".
3. openssh-8.0p1/auth-options.c:L327
Assigning: "opt" = storage returned from "opt_dequote(optsp, &errstr)".
4. openssh-8.0p1/auth-options.c:L327
Condition "(opt = opt_dequote(optsp, &errstr)) == NULL", taking false branch.
5. openssh-8.0p1/auth-options.c:L330
Condition "allow_bare_port", taking true branch.
6. openssh-8.0p1/auth-options.c:L330
Resource "opt" is not freed or pointed-to in "strchr".
7. openssh-8.0p1/auth-options.c:L330
Condition "strchr(opt, 58) == NULL", taking true branch.
8. openssh-8.0p1/auth-options.c:L335
Assuming resource "opt" is not freed or pointed-to as ellipsis argument to "asprintf".
9. openssh-8.0p1/auth-options.c:L335
Condition "asprintf(&tmp, "*:%s", opt) < 0", taking true branch.
10. openssh-8.0p1/auth-options.c:L337
Variable "opt" going out of scope leaks the storage it points to.
References:
https://cwe.mitre.org/data/definitions/772.html
Reporter: (ccota) (ccota@redhat.com)