Fix null-dereference in ssh2_channel_response.

In the SSH-2 connection layer, an outstanding_channel_request structure comes with a handler to be called back with the reply packet, when the other end sends one. But sometimes it doesn't - if the channel begins to close before the request has been replied to - in which case the handler function is called with a NULL packet pointer. The common ssh2_channel_response function that handles most of the client-side channel requests was not prepared to cope with that pointer being null. Fixed by making it handle a null return the same as CHANNEL_FAILURE. (cherry picked from commit e4b6a7efd2)
2025-01-09 17:38:00 +00:00 · 2020-04-03 17:53:36 +01:00 · 2020-04-03 17:53:36 +01:00 · 9331bb3c57
commit 9331bb3c57
parent 464ab136c2
1 changed files with 5 additions and 1 deletions
--- a/ssh2connection-client.c
+++ b/ssh2connection-client.c
@ -315,7 +315,11 @@ SshChannel *ssh2_serverside_agent_open(ConnectionLayer *cl, Channel *chan)
 static void ssh2_channel_response(
    struct ssh2_channel *c, PktIn *pkt, void *ctx)
 {
-    chan_request_response(c->chan, pkt->type == SSH2_MSG_CHANNEL_SUCCESS);
+    /* If pkt==NULL (because this handler has been called in response
+     * to CHANNEL_CLOSE arriving while the request was still
+     * outstanding), we treat that the same as CHANNEL_FAILURE. */
+    chan_request_response(c->chan,
+                          pkt && pkt->type == SSH2_MSG_CHANNEL_SUCCESS);
 }

 void ssh2channel_start_shell(SshChannel *sc, bool want_reply)