From 69201ad8936fe0ff1b8723b7a43accb5e9f1c888 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Fri, 20 Sep 2019 14:08:53 +0100
Subject: [PATCH] Fix use-after-free on SSH1_MSG_DISCONNECT.

Thanks to Ulrich Jannet for pointing this out: in
ssh2_connection_filter_queue, when we process a disconnect message, we
carefully avoid dereferencing the input 'ppl' pointer after
ssh_remote_error returns, because it will have been freed. But
ssh1_connection_filter_queue didn't have the same safety precaution.
---
 sshcommon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sshcommon.c b/sshcommon.c
index 39f2a65e..26073843 100644
--- a/sshcommon.c
+++ b/sshcommon.c
@@ -980,7 +980,7 @@ bool ssh1_common_filter_queue(PacketProtocolLayer *ppl)
             ssh_remote_error(ppl->ssh,
                              "Remote side sent disconnect message:\n\"%.*s\"",
                              PTRLEN_PRINTF(msg));
-            pq_pop(ppl->in_pq);
+            /* don't try to pop the queue, because we've been freed! */
             return true;               /* indicate that we've been freed */
 
           case SSH1_MSG_DEBUG: