From fe408562fa34cbde8ecd5739b24da3d8e6991a4f Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 25 Mar 2019 20:49:04 +0000
Subject: [PATCH] portfwdmgr_config: null out pointers we're destroying.

In particular, a report today pointed out that the call to
pfl_terminate(pfr->local) directly from portfwdmgr_config() was then
repeated from inside pfr_free(pfr) which we called four lines later,
leading to a double-free crash. Now we null out pfr->local the first
time, so the call in pfr_free is skipped.

While I'm at it, I've nulled out pfr->remote similarly; that doesn't
cause any crash that I can see, but it's a good habit to get into for
futureproofing.
---
 portfwd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/portfwd.c b/portfwd.c
index 6fd3d406..49a8d50a 100644
--- a/portfwd.c
+++ b/portfwd.c
@@ -959,8 +959,10 @@ void portfwdmgr_config(PortFwdManager *mgr, Conf *conf)
                  * rejected.
                  */
                 ssh_rportfwd_remove(mgr->cl, pfr->remote);
+                pfr->remote = NULL;
             } else if (pfr->local) {
                 pfl_terminate(pfr->local);
+                pfr->local = NULL;
             }
 
             delpos234(mgr->forwardings, i);