free_prompts: deal with a reference from an Ldisc.

In a GUI app, when interactive userpass input begins, the Ldisc acquires a reference to a prompts_t. If something bad happens to the SSH connection (e.g. unexpected server-side closure), then all the SSH layers will be destroyed, including freeing that prompts_t. So the Ldisc will have a stale reference to it, which it might potentially use. To fix that, I've arranged a back-pointer so that prompts_t itself can find the Ldisc's reference to it, and NULL it out on free. So now, whichever of a prompts_t and an Ldisc is freed first, the link between them should be cleanly broken. (I'm not 100% sure this is absolutely necessary, in the sense of whether a sequence of events can _actually_ happen that causes a stale pointer dereference. But I don't want to take the chance!)
2025-07-01 03:22:48 -05:00 · 2021-09-16 09:41:03 +01:00
parent 7a02234353
commit 65270b56f0
3 changed files with 21 additions and 2 deletions
--- a/utils/prompts.c
+++ b/utils/prompts.c
@ -17,6 +17,7 @@ prompts_t *new_prompts(void)
    p->name_reqd = p->instr_reqd = false;
    p->callback = NULL;
    p->callback_ctx = NULL;
+    p->ldisc_ptr_to_us = NULL;
    return p;
 }

@ -49,6 +50,12 @@ char *prompt_get_result(prompt_t *pr)
 void free_prompts(prompts_t *p)
 {
    size_t i;
+
+    /* If an Ldisc currently knows about us, tell it to forget us, so
+     * it won't dereference a stale pointer later. */
+    if (p->ldisc_ptr_to_us)
+        *p->ldisc_ptr_to_us = NULL;
+
    for (i=0; i < p->n_prompts; i++) {
        prompt_t *pr = p->prompts[i];
        strbuf_free(pr->result);