File curl-CVE-2023-28319.patch of Package curl.36283

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2023-28319.patch of Package curl.36283

From 8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 8 May 2023 14:33:54 +0200
Subject: [PATCH] libssh2: free fingerprint better

Reported-by: Wei Chong Tan
Closes #11088
---
 lib/vssh/libssh2.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index bfcc94e160178..dd39a844c646b 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -728,11 +728,10 @@ static CURLcode ssh_check_fingerprint(struct Curl_easy *data)
      */
     if((pub_pos != b64_pos) ||
        strncmp(fingerprint_b64, pubkey_sha256, pub_pos)) {
-      free(fingerprint_b64);
-
       failf(data,
             "Denied establishing ssh session: mismatch sha256 fingerprint. "
             "Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256);
+      free(fingerprint_b64);
       state(data, SSH_SESSION_FREE);
       sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
       return sshc->actualcode;

Places

File curl-CVE-2023-28319.patch of Package curl.36283

Places