From 7e984e5f9d6264ea8b12b6b178ba8cc827bdd9d0 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Fri, 18 May 2018 11:41:17 +0100
Subject: [PATCH] Null out a couple of pointers when they're empty.

ssh->current_user_input_fn was not set to NULL when the ssh structure
was initially set up, which meant that with sufficiently eager
typeahead it could accidentally be called while still full of garbage.
And ssh->connshare is freed in more than one place (by ssh_free and
also by do_ssh_close), but only one of those places nulls it out to
stop the other one trying to free it a second time.
---
 ssh.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index 2b454594..5ee6b96c 100644
--- a/ssh.c
+++ b/ssh.c
@@ -12409,6 +12409,7 @@ static const char *ssh_init(void *frontend_handle, void **backend_handle,
     ssh->user_input_consumer.fn = ssh_process_user_input;
     ssh->user_input_consumer.ctx = ssh;
     ssh->user_input_consumer.queued = FALSE;
+    ssh->current_user_input_fn = NULL;
     ssh->pending_newkeys = FALSE;
     ssh->rekey_reason = NULL;
     ssh->rekey_class = RK_INITIAL;
@@ -12563,8 +12564,10 @@ static void ssh_free(void *handle)
 	ssh->channels = NULL;
     }
 
-    if (ssh->connshare)
+    if (ssh->connshare) {
         sharestate_free(ssh->connshare);
+        ssh->connshare = NULL;
+    }
 
     if (ssh->rportfwds) {
 	while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)