Fix reentrancy bug around sshfwd_x11_sharing_handover.

When we get an incoming forwarded X11 channel over SSH, we keep it as an upstream channel for long enough to decide from its auth data which downstream (if any) it's destined for. Then we do a handover which retags the channel as a sharing one, so all further SSH messages are passed through trivially. But the handover function is called from chan_send, which in turn is called from the processing of the CHANNEL_DATA message that completed the auth exchange. So after the handover finishes, we were coming back to the standard CHANNEL_DATA processing and calling ssh2_set_window, which tried to dereference c->chan, which has now become NULL. Therefore, we should check for this case after calling chan_send, and stop doing the post-send processing if we spot it, which avoids that segfault.
2025-01-09 09:27:59 +00:00 · 2019-04-03 20:58:10 +01:00 · 2019-04-03 20:58:10 +01:00 · 77bdaa2436
commit 77bdaa2436
parent f9e2c7b1fe
1 changed files with 11 additions and 0 deletions
--- a/ssh2connection.c
+++ b/ssh2connection.c
@ -535,6 +535,17 @@ static bool ssh2_connection_filter_queue(struct ssh2_connection_state *s)
                        c->chan, ext_type == SSH2_EXTENDED_DATA_STDERR,
                        data.ptr, data.len);

+                    /*
+                     * The channel may have turned into a connection-
+                     * shared one as a result of that chan_send, e.g.
+                     * if the data we just provided completed the X11
+                     * auth phase and caused a callback to
+                     * x11_sharing_handover. If so, do nothing
+                     * further.
+                     */
+                    if (c->sharectx)
+                        break;
+
                    /*
                     * If it looks like the remote end hit the end of
                     * its window, and we didn't want it to do that,