Fix use-after-free on a network error.

When any BPP calls ssh_remote_error or ssh_remote_eof, it triggers an
immediate cleanup of the BPP itself - so on return from one of those
functions we should avoid going straight to the crFinish macro,
because that will write to s->crState, which no longer exists.

ssh1bpp.c

@@ -245,6 +245,7 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
     } else {
         ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
     }
+    return;  /* avoid touching s now it's been freed */
 
     crFinishV;
 }

ssh2bpp-bare.c

@@ -136,6 +136,7 @@ static void ssh2_bare_bpp_handle_input(BinaryPacketProtocol *bpp)
     } else {
         ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
     }
+    return;  /* avoid touching s now it's been freed */
 
     crFinishV;
 }

ssh2bpp.c

@@ -516,6 +516,7 @@ static void ssh2_bpp_handle_input(BinaryPacketProtocol *bpp)
     } else {
         ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
     }
+    return;  /* avoid touching s now it's been freed */
 
     crFinishV;
 }

sshverstring.c

@@ -396,6 +396,7 @@ void ssh_verstring_handle_input(BinaryPacketProtocol *bpp)
   eof:
     ssh_remote_error(s->bpp.ssh,
                      "Server unexpectedly closed network connection");
+    return;  /* avoid touching s now it's been freed */
 
     crFinishV;
 }