From ae93b52a9c80d84470250ae8595d2cdf1448562a Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sun, 7 Jun 2015 21:09:41 +0100
Subject: [PATCH] Clean up downstream sockets when upstream loses its SSH
 connection.

If the real SSH connection goes away and we call sharestate_free with
downstreams still active, then that in turn calls share_connstate_free
on all those downstreams, freeing the things their sockets are using
as Plugs but not actually closing the sockets, so further data coming
in from downstream gives rise to a use-after-free bug.

(Thanks to Timothe Litt for a great deal of help debugging this.)

(cherry picked from commit 0b2f283622603242d8bce295e42342649aebbb97)
---
 sshshare.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sshshare.c b/sshshare.c
index 2b2f69a9..1c0e3cba 100644
--- a/sshshare.c
+++ b/sshshare.c
@@ -502,6 +502,9 @@ static void share_connstate_free(struct ssh_sharing_connstate *cs)
         sfree(globreq);
     }
 
+    if (cs->sock)
+        sk_close(cs->sock);
+
     sfree(cs);
 }