From 70b199f47659a74b8778c528beccf893843e5ecb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 10 Dec 2009 23:40:44 +0100
Subject: [PATCH] avoid returning data to memory already freed

In case of failure we must make sure that the data we return
doesn't point to a memory area already freed. Reported anonymously
in the bug report #2910103.
---
 src/userauth.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/userauth.c b/src/userauth.c
index 3ee338e..ffd1db1 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -542,11 +542,6 @@ file_read_publickey(LIBSSH2_SESSION * session, unsigned char **method,
         LIBSSH2_FREE(session, pubkey);
         return -1;
     }
-    /* Wasting some bytes here (okay, more than some),
-     * but since it's likely to be freed soon anyway,
-     * we'll just avoid the extra free/alloc and call it a wash */
-    *method = pubkey;
-    *method_len = sp1 - pubkey;
 
     sp1++;
 
@@ -562,6 +557,13 @@ file_read_publickey(LIBSSH2_SESSION * session, unsigned char **method,
         LIBSSH2_FREE(session, pubkey);
         return -1;
     }
+
+    /* Wasting some bytes here (okay, more than some), but since it's likely
+     * to be freed soon anyway, we'll just avoid the extra free/alloc and call
+     * it a wash */
+    *method = pubkey;
+    *method_len = sp1 - pubkey;
+
     *pubkeydata = tmp;
     *pubkeydata_len = tmp_len;