1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 09:58:01 +00:00

Fix linked-list mismanagement in global request queue.

When we linked a new entry on to the global request queue, we forgot
to set its next pointer to NULL, so that when it was removed again,
s->globreq_head could end up pointing to nonsense.

In addition, even if the next pointer happened to be NULL by luck, we
also did not notice that s->globreq_head had become NULL and respond
by nulling out s->globreq_tail, which would leave s->globreq_tail as a
stale pointer to the just-freed list element, causing a memory access
error on the next attempt to link something on to the list.

This could come up in the situation where you open Change Settings and
configure a remote port forwarding, close it (so that the global
request is sent, queued, replied to, and unqueued again), and then
reopen Change Settings and configure a second one (so that the linked
list in the confused state actually gets used).
This commit is contained in:
Simon Tatham 2022-05-04 12:46:06 +01:00
parent 1088080cdd
commit 03e71efcc5

View File

@ -178,6 +178,7 @@ void ssh2_queue_global_request_handler(
snew(struct outstanding_global_request); snew(struct outstanding_global_request);
ogr->handler = handler; ogr->handler = handler;
ogr->ctx = ctx; ogr->ctx = ctx;
ogr->next = NULL;
if (s->globreq_tail) if (s->globreq_tail)
s->globreq_tail->next = ogr; s->globreq_tail->next = ogr;
else else
@ -372,6 +373,8 @@ static bool ssh2_connection_filter_queue(struct ssh2_connection_state *s)
s->globreq_head = s->globreq_head->next; s->globreq_head = s->globreq_head->next;
sfree(tmp); sfree(tmp);
} }
if (!s->globreq_head)
s->globreq_tail = NULL;
pq_pop(s->ppl.in_pq); pq_pop(s->ppl.in_pq);
break; break;