There are 2 bugs here. The first is pipe's return code is not checked in this instance and it can return a negative value. The purpose of the call is to make sure 0 and 1 are not assigned to the pin and pout descriptors because those values won't work for later calls. If the pipe call fails the correct behavior cannot be ensured. This patch adds an error case consistent with the rest of the function. The second bug is a memory leak. arg is allocated with xstrdup. It is the assigned in some paths to another local variable but neither are ever freed. This patch adds the xfree. This entire set of patches passed the regression tests on my system. Bugs found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- scp.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletion(-) diff -uprN openssh-4.3p2/scp.c openssh-4.3p2-kylie/scp.c --- openssh-4.3p2/scp.c 2006-01-31 05:11:38.000000000 -0600 +++ openssh-4.3p2-kylie/scp.c 2006-05-08 15:15:04.016516104 -0500 @@ -181,7 +181,8 @@ do_cmd(char *host, char *remuser, char * * Reserve two descriptors so that the real pipes won't get * descriptors 0 and 1 because that will screw up dup2 below. */ - pipe(reserved); + if (pipe(reserved) < 0) + fatal("pipe: %s", strerror(errno)); /* Create a socket pair for communicating with ssh. */ if (pipe(pin) < 0) @@ -490,6 +491,7 @@ toremote(char *targ, int argc, char **ar source(1, argv + i); } } + xfree(arg); } void