From 85770b203681247be68db0ce59fde94dbede4062 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 23 Nov 2018 19:21:01 +0000 Subject: [PATCH] Add missing expire_timer_context in ssh2_transport_free. This should have been moved over from the main ssh_free function back when I did the original splitting-up of ssh.c: the transport layer schedules a timer for rekeying (and also for GSSAPI credential checks), so when it's freed, it needs to ensure the timer doesn't get called anyway on a stale pointer. Two users reported this in the form of an assertion failure in conf_get_int (when ssh2_transport_timer asks for CONF_ssh_rekey_time, if the tree234 call inside conf_get_int is confused by the contents of the freed memory into returning failure). In other circumstances (if the freed memory has different contents) it manifests as a segfault, but it's the same underlying bug either way. --- ssh2transport.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssh2transport.c b/ssh2transport.c index 2a713413..ae00b28a 100644 --- a/ssh2transport.c +++ b/ssh2transport.c @@ -215,6 +215,8 @@ static void ssh2_transport_free(PacketProtocolLayer *ppl) strbuf_free(s->outgoing_kexinit); strbuf_free(s->incoming_kexinit); ssh_transient_hostkey_cache_free(s->thc); + + expire_timer_context(s); sfree(s); }