mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 09:12:24 +00:00
Fix linked-list mismanagement in global request queue.
When we linked a new entry on to the global request queue, we forgot to set its next pointer to NULL, so that when it was removed again, s->globreq_head could end up pointing to nonsense. In addition, even if the next pointer happened to be NULL by luck, we also did not notice that s->globreq_head had become NULL and respond by nulling out s->globreq_tail, which would leave s->globreq_tail as a stale pointer to the just-freed list element, causing a memory access error on the next attempt to link something on to the list. This could come up in the situation where you open Change Settings and configure a remote port forwarding, close it (so that the global request is sent, queued, replied to, and unqueued again), and then reopen Change Settings and configure a second one (so that the linked list in the confused state actually gets used).
This commit is contained in:
parent
1088080cdd
commit
03e71efcc5
@ -178,6 +178,7 @@ void ssh2_queue_global_request_handler(
|
|||||||
snew(struct outstanding_global_request);
|
snew(struct outstanding_global_request);
|
||||||
ogr->handler = handler;
|
ogr->handler = handler;
|
||||||
ogr->ctx = ctx;
|
ogr->ctx = ctx;
|
||||||
|
ogr->next = NULL;
|
||||||
if (s->globreq_tail)
|
if (s->globreq_tail)
|
||||||
s->globreq_tail->next = ogr;
|
s->globreq_tail->next = ogr;
|
||||||
else
|
else
|
||||||
@ -372,6 +373,8 @@ static bool ssh2_connection_filter_queue(struct ssh2_connection_state *s)
|
|||||||
s->globreq_head = s->globreq_head->next;
|
s->globreq_head = s->globreq_head->next;
|
||||||
sfree(tmp);
|
sfree(tmp);
|
||||||
}
|
}
|
||||||
|
if (!s->globreq_head)
|
||||||
|
s->globreq_tail = NULL;
|
||||||
|
|
||||||
pq_pop(s->ppl.in_pq);
|
pq_pop(s->ppl.in_pq);
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user