aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Stöneberg <oliverst@online.de>2011-05-04 09:20:15 -0700
committerAndreas Schneider <asn@cryptomilk.org>2011-05-17 20:57:38 +0200
commite5fb20c17b3412cc2fcad60c8fba81fa7d9a2bc8 (patch)
tree88bdcad8ae74d6055db328eda2a51b25bb148dd0
parentc472bd743787e145aee342f3123ca260471ee7bc (diff)
downloadlibssh-e5fb20c17b3412cc2fcad60c8fba81fa7d9a2bc8.tar.gz
libssh-e5fb20c17b3412cc2fcad60c8fba81fa7d9a2bc8.tar.xz
libssh-e5fb20c17b3412cc2fcad60c8fba81fa7d9a2bc8.zip
socket: Fixed use-after-free.
When s->callbacks->exception() was called in ssh_socket_pollcallback() we had a use after free bug. (cherry picked from commit 986676378943353cdcf156493812737dc91befdd)
-rw-r--r--src/socket.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/socket.c b/src/socket.c
index f3da4280..5d92b6c9 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -253,6 +253,9 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r
s->callbacks->exception(
SSH_SOCKET_EXCEPTION_ERROR,
s->last_errno,s->callbacks->userdata);
+ /* p may have been freed, so don't use it
+ * anymore in this function */
+ p = NULL;
}
}
if(r==0){
@@ -266,6 +269,9 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r
s->callbacks->exception(
SSH_SOCKET_EXCEPTION_EOF,
0,s->callbacks->userdata);
+ /* p may have been freed, so don't use it
+ * anymore in this function */
+ p = NULL;
}
}
if(r>0){