Security News > 2023 > February > OpenSSH fixes double-free memory bug that’s pokable over the network
Telnet was remarkably simple and effective: instead of connecting physical wires to make a teletype connection to remote servers, you used a TELetype NETwork connection instead. Basically, the data that would usually flow back and forth over a dedicated serial connection or dial-up phone connection was sent and received over the internet, using a packet-switched TCP network connection instead of a circuit-switched point-to-point link.
Sshd: fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1.
A double-free bug means that a memory block you already returned to the operating system to be re-used in other parts of your program.
Ironically, if you look at the recent OpenSSH code history, you'll see that OpenSSH had a modest bug in a function called compat kex proposal(), used to check what sort of key-exchange algorithm to use when setting up a connection.
The memory block allocated by allocatenewstring1() is never freed up - indeed, it's just abandoned forever, allocated but never used, thus leaking memory.
As the OpenSSH team suggests, exploiting this bug will be hard because of the limited privileges that the sshd program has while it's still setting up the connection for use.