From 3190ca275e4c64ea0eb6c8ddbd81bc6afe95bc04 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 6 Feb 2015 19:32:08 -0500
Subject: [PATCH] SSH: Fix some memleaks.

---
 src/analyzer/protocol/ssh/ssh-protocol.pac | 167 +++++++++++----------
 1 file changed, 89 insertions(+), 78 deletions(-)

diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index 36bfcaedf3..e642e87cea 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -6,44 +6,44 @@ enum version {
 
 enum state {
 	VERSION_EXCHANGE	= 0,
-	KEX_INIT			= 1,
-	KEX_DH_GEX			= 2,
-	KEX_DH				= 3,
-	KEX_ECC				= 4,
-	KEX_GSS				= 5,
-	KEX_RSA				= 6,
-	ENCRYPTED			= 7,
+	KEX_INIT		= 1,
+	KEX_DH_GEX		= 2,
+	KEX_DH			= 3,
+	KEX_ECC			= 4,
+	KEX_GSS			= 5,
+	KEX_RSA			= 6,
+	ENCRYPTED		= 7,
 };
 
-# diffie-hellman-group1-sha1	[RFC4253]		Section 8.1
-# diffie-hellman-group14-sha1	[RFC4253]		Section 8.2
+# diffie-hellman-group1-sha1	[RFC4253]	Section 8.1
+# diffie-hellman-group14-sha1	[RFC4253]	Section 8.2
 enum KEX_DH_message_id {
 	SSH_MSG_KEXDH_INIT  = 30,
 	SSH_MSG_KEXDH_REPLY = 31,
 };
 
-# diffie-hellman-group-exchange-sha1	[RFC4419]		Section 4.1
-# diffie-hellman-group-exchange-sha256	[RFC4419]		Section 4.2
+# diffie-hellman-group-exchange-sha1	[RFC4419]	Section 4.1
+# diffie-hellman-group-exchange-sha256	[RFC4419]	Section 4.2
 enum KEX_DH_GEX_message_id {
-	SSH_MSG_KEX_DH_GEX_REQUEST_OLD		= 30,
-	SSH_MSG_KEX_DH_GEX_GROUP			= 31,
-	SSH_MSG_KEX_DH_GEX_INIT				= 32,
-	SSH_MSG_KEX_DH_GEX_REPLY			= 33,
-	SSH_MSG_KEX_DH_GEX_REQUEST			= 34,
+	SSH_MSG_KEX_DH_GEX_REQUEST_OLD	= 30,
+	SSH_MSG_KEX_DH_GEX_GROUP	= 31,
+	SSH_MSG_KEX_DH_GEX_INIT		= 32,
+	SSH_MSG_KEX_DH_GEX_REPLY	= 33,
+	SSH_MSG_KEX_DH_GEX_REQUEST	= 34,
 };
 
-# rsa1024-sha1			[RFC4432]
-# rsa2048-sha256		[RFC4432]
+# rsa1024-sha1		[RFC4432]
+# rsa2048-sha256	[RFC4432]
 enum KEX_RSA_message_id {
-	SSH_MSG_KEXRSA_PUBKEY		= 30,
-    SSH_MSG_KEXRSA_SECRET		= 31,
-    SSH_MSG_KEXRSA_DONE			= 32,
+	SSH_MSG_KEXRSA_PUBKEY	= 30,
+    SSH_MSG_KEXRSA_SECRET	= 31,
+    SSH_MSG_KEXRSA_DONE		= 32,
 };
 
-# gss-group1-sha1-*		[RFC4462]		Section 2.3
-# gss-group14-sha1-*	[RFC4462]		Section 2.4
-# gss-gex-sha1-*		[RFC4462]		Section 2.5
-# gss-*					[RFC4462]		Section 2.6
+# gss-group1-sha1-*	[RFC4462]	Section 2.3
+# gss-group14-sha1-*	[RFC4462]	Section 2.4
+# gss-gex-sha1-*	[RFC4462]	Section 2.5
+# gss-*			[RFC4462]	Section 2.6
 enum KEX_GSS_message_id {
    	SSH_MSG_KEXGSS_INIT         =  30,
    	SSH_MSG_KEXGSS_CONTINUE     =  31,
@@ -56,8 +56,8 @@ enum KEX_GSS_message_id {
 
 # ecdh-sha2-*			[RFC5656]
 enum KEX_ECDH_message_id {
-	SSH_MSG_KEX_ECDH_INIT       = 30,
-	SSH_MSG_KEX_ECDH_REPLY      = 31,
+	SSH_MSG_KEX_ECDH_INIT    = 30,
+	SSH_MSG_KEX_ECDH_REPLY   = 31,
 };
 
 # ecmqv-sha2			[RFC5656]
@@ -67,74 +67,74 @@ enum KEX_ECMQV_message_id {
 };
 
 enum ssh1_message_id {
-	SSH_MSG_NONE						=  0,
-	SSH_MSG_DISCONNECT					=  1,
-	SSH_SMSG_PUBLIC_KEY					=  2,
-	SSH_CMSG_SESSION_KEY				=  3,
-	SSH_CMSG_USER						=  4,
-	SSH_CMSG_AUTH_RHOSTS				=  5,
-	SSH_CMSG_AUTH_RSA					=  6,
-	SSH_SMSG_AUTH_RSA_CHALLENGE			=  7,
-	SSH_CMSG_AUTH_RSA_RESPONSE			=  8,
-	SSH_CMSG_AUTH_PASSWORD				=  9,
-	SSH_CMSG_REQUEST_PTY				= 10,
-	SSH_CMSG_WINDOW_SIZE				= 11,
-	SSH_CMSG_EXEC_SHELL					= 12,
-	SSH_CMSG_EXEC_CMD					= 13,
-	SSH_SMSG_SUCCESS					= 14,
-	SSH_SMSG_FAILURE					= 15,
-	SSH_CMSG_STDIN_DATA					= 16,
-	SSH_SMSG_STDOUT_DATA				= 17,
-	SSH_SMSG_STDERR_DATA				= 18,
-	SSH_CMSG_EOF						= 19,
-	SSH_SMSG_EXITSTATUS					= 20,
+	SSH_MSG_NONE				=  0,
+	SSH_MSG_DISCONNECT			=  1,
+	SSH_SMSG_PUBLIC_KEY			=  2,
+	SSH_CMSG_SESSION_KEY			=  3,
+	SSH_CMSG_USER				=  4,
+	SSH_CMSG_AUTH_RHOSTS			=  5,
+	SSH_CMSG_AUTH_RSA			=  6,
+	SSH_SMSG_AUTH_RSA_CHALLENGE		=  7,
+	SSH_CMSG_AUTH_RSA_RESPONSE		=  8,
+	SSH_CMSG_AUTH_PASSWORD			=  9,
+	SSH_CMSG_REQUEST_PTY			= 10,
+	SSH_CMSG_WINDOW_SIZE			= 11,
+	SSH_CMSG_EXEC_SHELL			= 12,
+	SSH_CMSG_EXEC_CMD			= 13,
+	SSH_SMSG_SUCCESS			= 14,
+	SSH_SMSG_FAILURE			= 15,
+	SSH_CMSG_STDIN_DATA			= 16,
+	SSH_SMSG_STDOUT_DATA			= 17,
+	SSH_SMSG_STDERR_DATA			= 18,
+	SSH_CMSG_EOF				= 19,
+	SSH_SMSG_EXITSTATUS			= 20,
 	SSH_MSG_CHANNEL_OPEN_CONFIRMATION	= 21,
 	SSH_MSG_CHANNEL_OPEN_FAILURE		= 22,
-	SSH_MSG_CHANNEL_DATA				= 23,
-	SSH_MSG_CHANNEL_CLOSE				= 24,
+	SSH_MSG_CHANNEL_DATA			= 23,
+	SSH_MSG_CHANNEL_CLOSE			= 24,
 	SSH_MSG_CHANNEL_CLOSE_CONFIRMATION	= 25,
 	SSH_CMSG_X11_REQUEST_FORWARDING_OLD	= 26,
-	SSH_SMSG_X11_OPEN					= 27,
+	SSH_SMSG_X11_OPEN			= 27,
 	SSH_CMSG_PORT_FORWARD_REQUEST		= 28,
-	SSH_MSG_PORT_OPEN					= 29,
+	SSH_MSG_PORT_OPEN			= 29,
 	SSH_CMSG_AGENT_REQUEST_FORWARDING	= 30,
-	SSH_SMSG_AGENT_OPEN					= 31,
-	SSH_MSG_IGNORE						= 32,
-	SSH_CMSG_EXIT_CONFIRMATION			= 33,
+	SSH_SMSG_AGENT_OPEN			= 31,
+	SSH_MSG_IGNORE				= 32,
+	SSH_CMSG_EXIT_CONFIRMATION		= 33,
 	SSH_CMSG_X11_REQUEST_FORWARDING		= 34,
-	SSH_CMSG_AUTH_RHOSTS_RSA			= 35,
-	SSH_MSG_DEBUG						= 36,
+	SSH_CMSG_AUTH_RHOSTS_RSA		= 35,
+	SSH_MSG_DEBUG				= 36,
 	SSH_CMSG_REQUEST_COMPRESSION		= 37,
-	SSH_CMSG_MAX_PACKET_SIZE			= 38,
-	SSH_CMSG_AUTH_TIS					= 39,
-	SSH_SMSG_AUTH_TIS_CHALLENGE			= 40,
-	SSH_CMSG_AUTH_TIS_RESPONSE			= 41,
-	SSH_CMSG_AUTH_KERBEROS				= 42,
+	SSH_CMSG_MAX_PACKET_SIZE		= 38,
+	SSH_CMSG_AUTH_TIS			= 39,
+	SSH_SMSG_AUTH_TIS_CHALLENGE		= 40,
+	SSH_CMSG_AUTH_TIS_RESPONSE		= 41,
+	SSH_CMSG_AUTH_KERBEROS			= 42,
 	SSH_SMSG_AUTH_KERBEROS_RESPONSE		= 43,
-	SSH_CMSG_HAVE_KERBEROS_TGT			= 44,
+	SSH_CMSG_HAVE_KERBEROS_TGT		= 44,
 };
 
 enum ssh2_message_id {
-	MSG_DISCONNECT						=   1,
-	MSG_IGNORE							=   2,
-	MSG_UNIMPLEMENTED					=   3,
-	MSG_DEBUG							=   4,
-	MSG_SERVICE_REQUEST					=   5,
-	MSG_SERVICE_ACCEPT					=   6,
-	MSG_KEXINIT							=  20,
-	MSG_NEWKEYS							=  21,
+	MSG_DISCONNECT		=   1,
+	MSG_IGNORE		=   2,
+	MSG_UNIMPLEMENTED	=   3,
+	MSG_DEBUG		=   4,
+	MSG_SERVICE_REQUEST	=   5,
+	MSG_SERVICE_ACCEPT	=   6,
+	MSG_KEXINIT		=  20,
+	MSG_NEWKEYS		=  21,
 };
 
 ## SSH Generic
 
 type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of {
-	VERSION_EXCHANGE    -> version:    	SSH_Version(is_orig);
-	KEX_INIT 			-> kex:        	SSH_Key_Exchange(is_orig);
-	KEX_DH_GEX			-> kex_dh_gex: 	SSH_Key_Exchange_DH_GEX(is_orig);
-	KEX_DH				-> kex_dh: 		SSH_Key_Exchange_DH(is_orig);
-	KEX_ECC				-> kex_ecc: 	SSH_Key_Exchange_ECC(is_orig);
-	KEX_GSS				-> kex_gss: 	SSH_Key_Exchange_GSS(is_orig);
-	KEX_RSA				-> kex_rsa: 	SSH_Key_Exchange_RSA(is_orig);
+	VERSION_EXCHANGE	-> version:    	SSH_Version(is_orig);
+	KEX_INIT 		-> kex:        	SSH_Key_Exchange(is_orig);
+	KEX_DH_GEX		-> kex_dh_gex: 	SSH_Key_Exchange_DH_GEX(is_orig);
+	KEX_DH			-> kex_dh: 		SSH_Key_Exchange_DH(is_orig);
+	KEX_ECC			-> kex_ecc: 	SSH_Key_Exchange_ECC(is_orig);
+	KEX_GSS			-> kex_gss: 	SSH_Key_Exchange_GSS(is_orig);
+	KEX_RSA			-> kex_rsa: 	SSH_Key_Exchange_RSA(is_orig);
 } &byteorder=bigendian;
 
 type SSH_Version(is_orig: bool) = record {
@@ -425,6 +425,11 @@ refine connection SSH_Conn += {
 		kex_algorithm_ = bytestring();
 	%}
 
+	%cleanup{
+		kex_algorithm_.free();
+		kex_algs_cache_.free();
+	%}
+
 	function get_state(is_orig: bool): int
 		%{
 		if ( is_orig )
@@ -514,6 +519,9 @@ refine connection SSH_Conn += {
 					kex_algorithm_.init((const uint8 *) client_list->Lookup(i)->AsStringVal()->Bytes(),
 									    client_list->Lookup(i)->AsStringVal()->Len());
 
+					Unref(client_list);
+					Unref(server_list);
+
 					// UNTESTED
 					if ( update_kex_state_if_equal("rsa1024-sha1", KEX_RSA) )
 						return true;
@@ -556,6 +564,9 @@ refine connection SSH_Conn += {
 					}
 				}
 			}
+			
+		Unref(client_list);
+		Unref(server_list);
 
 		return true;