- djm@cvs.openbsd.org 2012/01/07 21:11:36

     [mux.c]
     fix double-free in new session handler

2 files changed, 5 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 722be1b3..a5a1e927 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
    - djm@cvs.openbsd.org 2012/01/05 00:16:56
      [monitor.c]
      memleak on error path
+   - djm@cvs.openbsd.org 2012/01/07 21:11:36
+     [mux.c]
+     fix double-free in new session handler
 
 20120206
  - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
diff --git a/mux.c b/mux.c
index 0b7abda0..d90605eb 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.33 2011/12/04 23:16:12 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.34 2012/01/07 21:11:36 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -341,10 +341,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
 	env_len = 0;
 	while (buffer_len(m) > 0) {
 #define MUX_MAX_ENV_VARS	4096
-		if ((cp = buffer_get_string_ret(m, &len)) == NULL) {
-			xfree(cmd);
+		if ((cp = buffer_get_string_ret(m, &len)) == NULL)
 			goto malf;
-		}
 		if (!env_permitted(cp)) {
 			xfree(cp);
 			continue;