1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-26 01:32:25 +00:00

Check the return value from ssh2_transport_filter_queue!

I carefully made it return a bool to indicate that the whole PPL had
been freed, and then never actually checked that return value, so any
kind of connection-fatal event inside filter_queue (such as reporting
a DISCONNECT message) would cause a reference to freed memory on
return.
This commit is contained in:
Simon Tatham 2019-03-10 19:25:21 +00:00
parent 58fd58d64c
commit 804ac21381

View File

@ -408,7 +408,8 @@ static bool ssh2_transport_filter_queue(struct ssh2_transport_state *s)
PktIn *ssh2_transport_pop(struct ssh2_transport_state *s) PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
{ {
ssh2_transport_filter_queue(s); if (ssh2_transport_filter_queue(s))
return NULL; /* we've been freed */
return pq_pop(s->ppl.in_pq); return pq_pop(s->ppl.in_pq);
} }
@ -988,7 +989,8 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
* from, even if we're _not_ looping on pq_pop. That way we can * from, even if we're _not_ looping on pq_pop. That way we can
* still proactively handle those messages even if we're waiting * still proactively handle those messages even if we're waiting
* for a user response. */ * for a user response. */
ssh2_transport_filter_queue(s); if (ssh2_transport_filter_queue(s))
return; /* we've been freed */
crBegin(s->crState); crBegin(s->crState);