From fe408562fa34cbde8ecd5739b24da3d8e6991a4f Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Mon, 25 Mar 2019 20:49:04 +0000 Subject: [PATCH] portfwdmgr_config: null out pointers we're destroying. In particular, a report today pointed out that the call to pfl_terminate(pfr->local) directly from portfwdmgr_config() was then repeated from inside pfr_free(pfr) which we called four lines later, leading to a double-free crash. Now we null out pfr->local the first time, so the call in pfr_free is skipped. While I'm at it, I've nulled out pfr->remote similarly; that doesn't cause any crash that I can see, but it's a good habit to get into for futureproofing. --- portfwd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/portfwd.c b/portfwd.c index 6fd3d406..49a8d50a 100644 --- a/portfwd.c +++ b/portfwd.c @@ -959,8 +959,10 @@ void portfwdmgr_config(PortFwdManager *mgr, Conf *conf) * rejected. */ ssh_rportfwd_remove(mgr->cl, pfr->remote); + pfr->remote = NULL; } else if (pfr->local) { pfl_terminate(pfr->local); + pfr->local = NULL; } delpos234(mgr->forwardings, i);