From e857e43361def326df7203e0be5c4feaf7824a05 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 28 Sep 2018 11:26:26 +0100 Subject: [PATCH] Fix use-after-free on a network error. When any BPP calls ssh_remote_error or ssh_remote_eof, it triggers an immediate cleanup of the BPP itself - so on return from one of those functions we should avoid going straight to the crFinish macro, because that will write to s->crState, which no longer exists. --- ssh1bpp.c | 1 + ssh2bpp-bare.c | 1 + ssh2bpp.c | 1 + sshverstring.c | 1 + 4 files changed, 4 insertions(+) diff --git a/ssh1bpp.c b/ssh1bpp.c index e57676cc..98763e03 100644 --- a/ssh1bpp.c +++ b/ssh1bpp.c @@ -245,6 +245,7 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp) } else { ssh_remote_eof(s->bpp.ssh, "Server closed network connection"); } + return; /* avoid touching s now it's been freed */ crFinishV; } diff --git a/ssh2bpp-bare.c b/ssh2bpp-bare.c index 49689c3b..ba40e7ab 100644 --- a/ssh2bpp-bare.c +++ b/ssh2bpp-bare.c @@ -136,6 +136,7 @@ static void ssh2_bare_bpp_handle_input(BinaryPacketProtocol *bpp) } else { ssh_remote_eof(s->bpp.ssh, "Server closed network connection"); } + return; /* avoid touching s now it's been freed */ crFinishV; } diff --git a/ssh2bpp.c b/ssh2bpp.c index c81e0f59..6bda41d0 100644 --- a/ssh2bpp.c +++ b/ssh2bpp.c @@ -516,6 +516,7 @@ static void ssh2_bpp_handle_input(BinaryPacketProtocol *bpp) } else { ssh_remote_eof(s->bpp.ssh, "Server closed network connection"); } + return; /* avoid touching s now it's been freed */ crFinishV; } diff --git a/sshverstring.c b/sshverstring.c index 612c3194..d9bc8077 100644 --- a/sshverstring.c +++ b/sshverstring.c @@ -396,6 +396,7 @@ void ssh_verstring_handle_input(BinaryPacketProtocol *bpp) eof: ssh_remote_error(s->bpp.ssh, "Server unexpectedly closed network connection"); + return; /* avoid touching s now it's been freed */ crFinishV; }