Fix use-after-free on a network error.

When any BPP calls ssh_remote_error or ssh_remote_eof, it triggers an immediate cleanup of the BPP itself - so on return from one of those functions we should avoid going straight to the crFinish macro, because that will write to s->crState, which no longer exists.
2025-07-03 20:42:48 -05:00 · 2018-09-28 11:26:26 +01:00
parent ed0104c2fe
commit e857e43361
4 changed files with 4 additions and 0 deletions
--- a/sshverstring.c
+++ b/sshverstring.c
@ -396,6 +396,7 @@ void ssh_verstring_handle_input(BinaryPacketProtocol *bpp)
  eof:
    ssh_remote_error(s->bpp.ssh,
                     "Server unexpectedly closed network connection");
+    return;  /* avoid touching s now it's been freed */

    crFinishV;
 }