From b94b7fbbaa0589aa6ec5fdc733aeb9ff294d2656 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@samba.org>
Date: Fri, 1 Aug 2014 17:32:15 +1000
Subject: [PATCH] pppd: Eliminate memory leak with multiple instances of a
 string option

This eliminates the memory leak which occurs when a user gives the
same string option multiple times.  Although the leak is trivial under
normal conditions, the fact that it can be triggered by the user
means that it may be of interest to attackers, so let's plug the leak.

This also means that any o_string option without OPT_STATIC set needs
to have opt->addr pointing to a pointer which starts out NULL.  That
is the case for all current uses of o_string.

Signed-off-by: Paul Mackerras <paulus@samba.org>
---
 pppd/options.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pppd/options.c b/pppd/options.c
index e9042d1..f66b765 100644
--- a/pppd/options.c
+++ b/pppd/options.c
@@ -776,10 +776,13 @@ process_option(opt, cmd, argv)
 	if (opt->flags & OPT_STATIC) {
 	    strlcpy((char *)(opt->addr), *argv, opt->upper_limit);
 	} else {
+	    char **optptr = (char **)(opt->addr);
 	    sv = strdup(*argv);
 	    if (sv == NULL)
 		novm("option argument");
-	    *(char **)(opt->addr) = sv;
+	    if (*optptr)
+		free(*optptr);
+	    *optptr = sv;
 	}
 	break;
 
-- 
2.39.2