nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 09:27:59 +00:00
Code Issues Projects Releases Wiki Activity

Fix use-after-free on SSH1_MSG_DISCONNECT.

Browse Source 
Thanks to Ulrich Jannet for pointing this out: in
ssh2_connection_filter_queue, when we process a disconnect message, we
carefully avoid dereferencing the input 'ppl' pointer after
ssh_remote_error returns, because it will have been freed. But
ssh1_connection_filter_queue didn't have the same safety precaution.
This commit is contained in:
Simon Tatham 2019-09-20 14:08:53 +01:00
parent 15653f67e8
commit 69201ad893
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sshcommon.c
View File

@ -980,7 +980,7 @@ bool ssh1_common_filter_queue(PacketProtocolLayer *ppl)
ssh_remote_error(ppl->ssh,
"Remote side sent disconnect message:\n\"%.*s\"",
PTRLEN_PRINTF(msg));
pq_pop(ppl->in_pq);
/* don't try to pop the queue, because we've been freed! */
return true; /* indicate that we've been freed */
case SSH1_MSG_DEBUG: