mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 01:02:24 +00:00
Fix use-after-free on a network error.
When any BPP calls ssh_remote_error or ssh_remote_eof, it triggers an immediate cleanup of the BPP itself - so on return from one of those functions we should avoid going straight to the crFinish macro, because that will write to s->crState, which no longer exists.
This commit is contained in:
parent
ed0104c2fe
commit
e857e43361
@ -245,6 +245,7 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
|
||||
} else {
|
||||
ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
|
||||
}
|
||||
return; /* avoid touching s now it's been freed */
|
||||
|
||||
crFinishV;
|
||||
}
|
||||
|
@ -136,6 +136,7 @@ static void ssh2_bare_bpp_handle_input(BinaryPacketProtocol *bpp)
|
||||
} else {
|
||||
ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
|
||||
}
|
||||
return; /* avoid touching s now it's been freed */
|
||||
|
||||
crFinishV;
|
||||
}
|
||||
|
@ -516,6 +516,7 @@ static void ssh2_bpp_handle_input(BinaryPacketProtocol *bpp)
|
||||
} else {
|
||||
ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
|
||||
}
|
||||
return; /* avoid touching s now it's been freed */
|
||||
|
||||
crFinishV;
|
||||
}
|
||||
|
@ -396,6 +396,7 @@ void ssh_verstring_handle_input(BinaryPacketProtocol *bpp)
|
||||
eof:
|
||||
ssh_remote_error(s->bpp.ssh,
|
||||
"Server unexpectedly closed network connection");
|
||||
return; /* avoid touching s now it's been freed */
|
||||
|
||||
crFinishV;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user