3 files changed, 13 insertions, 1 deletions

diff --git a/CHANGES b/CHANGES
index 520be1cc3..a408bc3f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,9 @@
                                   Changelog
 
 Daniel Stenberg (18 Oct 2009)
+- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts
+  data!
+
 - John Dennis filed bug report #2873666
   (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem
   which made libcurl loop infinitely when given incorrect credentials when
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 111e98255..a9691ae97 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -38,6 +38,7 @@ This release includes the following bugfixes:
  o invalid file name characters handling on Windows
  o double close() on the primary socket with libcurl-NSS
  o GSS negotiate infinite loop on bad credentials
+ o memory leak in SCP/SFTP connections
 
 This release includes the following known bugs:
 
diff --git a/lib/ssh.c b/lib/ssh.c
index 1503734eb..eaaa8e69a 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -2204,6 +2204,13 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
     break;
 
   case SSH_SESSION_FREE:
+#ifdef HAVE_LIBSSH2_KNOWNHOST_API
+    if(sshc->kh) {
+      libssh2_knownhost_free(sshc->kh);
+      sshc->kh = NULL;
+    }
+#endif
+
     if(sshc->ssh_session) {
       rc = libssh2_session_free(sshc->ssh_session);
       if(rc == LIBSSH2_ERROR_EAGAIN) {
@@ -2565,11 +2572,12 @@ static CURLcode ssh_do(struct connectdata *conn, bool *done)
 static CURLcode scp_disconnect(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
+  struct ssh_conn *ssh = &conn->proto.sshc;
 
   Curl_safefree(conn->data->state.proto.ssh);
   conn->data->state.proto.ssh = NULL;
 
-  if(conn->proto.sshc.ssh_session) {
+  if(ssh->ssh_session) {
     /* only if there's a session still around to use! */
 
     state(conn, SSH_SESSION_DISCONNECT);