From 4adbd725caecdbf85034a55d9aa3090f8d873683 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 2 Nov 2019 08:23:58 +0000
Subject: [PATCH] Fix use-after-free in banner handling.

When we fetch a chunk of data from the banner bufchain, we have to
read from it _before_ calling bufchain_consume.
---
 ssh2userauth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssh2userauth.c b/ssh2userauth.c
index 833fde8f..32dde8d0 100644
--- a/ssh2userauth.c
+++ b/ssh2userauth.c
@@ -509,9 +509,9 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
                 while (bufchain_size(&s->banner) > 0) {
                     ptrlen data = bufchain_prefix(&s->banner);
                     seat_stderr_pl(s->ppl.seat, data);
-                    bufchain_consume(&s->banner, data.len);
                     mid_line =
                         (((const char *)data.ptr)[data.len-1] != '\n');
+                    bufchain_consume(&s->banner, data.len);
                 }
                 bufchain_clear(&s->banner);