I think I've found two minor memory management issues (neither exploitable in any way) in OpenSSH 3.7.1p2 that should probably be addressed. In serverloop.c, function server_input_channel_open(), the ctype variable is a char *, dynamically allocated in packet_get_string. It's xfree'd at the end of the function. However, before that, it's passed to server_request_session/server_request_direct_tcpip, which call either channel_new or channel_connect_to, passing in ctype. The channel structure keeps a pointer to ctype, so when server_input_channel_open returns, and xfree's the ctype pointer, the pointer held by the channel structure is now pointing at free'd memory. The channel never appears to use the ctype at all (at least on the server side), so it's probably not a problem, but it probably should be fixed for the future. In auth2-pubkey.c, the function userauth_pubkey(), around line 98 (inside the have_sig condition) buffer_init is called in the b variable - this malloc's a buffer of 4096 bytes. Later, around line 128, buffer clear is called. This resets the internal buffer pointers, but does not free the malloc'd memory. I believe this should be buffer_free, as the variable is not used again, and no pointers are kept to it's malloc'd data. When the function returns, the pointer to the malloc'd data is lost. Thanks, Pete
