1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00

Fix use-after-free on SSH1_MSG_DISCONNECT.

Thanks to Ulrich Jannet for pointing this out: in
ssh2_connection_filter_queue, when we process a disconnect message, we
carefully avoid dereferencing the input 'ppl' pointer after
ssh_remote_error returns, because it will have been freed. But
ssh1_connection_filter_queue didn't have the same safety precaution.
This commit is contained in:
Simon Tatham 2019-09-20 14:08:53 +01:00
parent 15653f67e8
commit 69201ad893

View File

@ -980,7 +980,7 @@ bool ssh1_common_filter_queue(PacketProtocolLayer *ppl)
ssh_remote_error(ppl->ssh,
"Remote side sent disconnect message:\n\"%.*s\"",
PTRLEN_PRINTF(msg));
pq_pop(ppl->in_pq);
/* don't try to pop the queue, because we've been freed! */
return true; /* indicate that we've been freed */
case SSH1_MSG_DEBUG: