channels1: Fix severa possible null pointer dereferences.

(cherry picked from commit b811b89f57ec167612948e688d75015f85b9c8f4)
author: Andreas Schneider <asn@cryptomilk.org> 2012-10-07 22:01:48 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2013-01-10 13:55:12 +0100
commit: ba231d0844d424f48b6dc4c04b3109a0175d0733 (patch)
tree: da1e135152e89d0cf4d5beb3594f07b4f1b705e2
parent: 6da817aa47e6fd4b8e4bd5d1579c1451d3cd3308 (diff)
download: libssh-ba231d0844d424f48b6dc4c04b3109a0175d0733.tar.gz
libssh-ba231d0844d424f48b6dc4c04b3109a0175d0733.tar.xz
libssh-ba231d0844d424f48b6dc4c04b3109a0175d0733.zip
1 files changed, 59 insertions, 6 deletions
diff --git a/src/channels1.c b/src/channels1.c
index ca669a45..a9e3ab5a 100644
--- a/src/channels1.c
+++ b/src/channels1.c
@@ -50,11 +50,17 @@
  */
 
 int channel_open_session1(ssh_channel chan) {
+  ssh_session session;
+
+  if (chan == NULL) {
+    return -1;
+  }
+  session = chan->session;
+
   /*
    * We guess we are requesting an *exec* channel. It can only have one exec
    * channel. So we abort with an error if we need more than one.
    */
-  ssh_session session = chan->session;
   if (session->exec_channel_opened) {
     ssh_set_error(session, SSH_REQUEST_DENIED,
         "SSH1 supports only one execution channel. "
@@ -85,8 +91,14 @@ int channel_open_session1(ssh_channel chan) {
 
 int channel_request_pty_size1(ssh_channel channel, const char *terminal, int col,
     int row) {
-  ssh_session session = channel->session;
+  ssh_session session;
   ssh_string str = NULL;
+
+  if (channel == NULL) {
+    return SSH_ERROR;
+  }
+  session = channel->session;
+
   if(channel->request_state != SSH_CHANNEL_REQ_STATE_NONE){
     ssh_set_error(session,SSH_REQUEST_DENIED,"Wrong request state");
     return SSH_ERROR;
@@ -139,7 +151,13 @@ int channel_request_pty_size1(ssh_channel channel, const char *terminal, int col
 }
 
 int channel_change_pty_size1(ssh_channel channel, int cols, int rows) {
-  ssh_session session = channel->session;
+  ssh_session session;
+
+  if (channel == NULL) {
+    return SSH_ERROR;
+  }
+  session = channel->session;
+
   if(channel->request_state != SSH_CHANNEL_REQ_STATE_NONE){
     ssh_set_error(session,SSH_REQUEST_DENIED,"Wrong request state");
     return SSH_ERROR;
@@ -182,7 +200,12 @@ int channel_change_pty_size1(ssh_channel channel, int cols, int rows) {
 }
 
 int channel_request_shell1(ssh_channel channel) {
-  ssh_session session = channel->session;
+  ssh_session session;
+
+  if (channel == NULL) {
+    return -1;
+  }
+  session = channel->session;
 
   if (buffer_add_u8(session->out_buffer,SSH_CMSG_EXEC_SHELL) < 0) {
     return -1;
@@ -198,9 +221,14 @@ int channel_request_shell1(ssh_channel channel) {
 }
 
 int channel_request_exec1(ssh_channel channel, const char *cmd) {
-  ssh_session session = channel->session;
+  ssh_session session;
   ssh_string command = NULL;
 
+  if (channel == NULL) {
+    return -1;
+  }
+  session = channel->session;
+
   command = ssh_string_from_char(cmd);
   if (command == NULL) {
     return -1;
@@ -227,6 +255,11 @@ SSH_PACKET_CALLBACK(ssh_packet_data1){
     ssh_string str = NULL;
     int is_stderr=(type==SSH_SMSG_STDOUT_DATA ? 0 : 1);
     (void)user;
+
+    if (channel == NULL) {
+      return SSH_PACKET_NOT_USED;
+    }
+
     str = buffer_get_ssh_string(packet);
     if (str == NULL) {
       ssh_log(session, SSH_LOG_FUNCTIONS, "Invalid data packet !\n");
@@ -254,6 +287,10 @@ SSH_PACKET_CALLBACK(ssh_packet_close1){
   (void)type;
   (void)user;
 
+  if (channel == NULL) {
+    return SSH_PACKET_NOT_USED;
+  }
+
   buffer_get_u32(packet, &status);
   /*
    * It's much more than a channel closing. spec says it's the last
@@ -275,6 +312,11 @@ SSH_PACKET_CALLBACK(ssh_packet_exist_status1){
   uint32_t status;
   (void)type;
   (void)user;
+
+  if (channel == NULL) {
+    return SSH_PACKET_NOT_USED;
+  }
+
   buffer_get_u32(packet, &status);
   channel->state = SSH_CHANNEL_STATE_CLOSED;
   channel->remote_eof = 1;
@@ -285,10 +327,16 @@ SSH_PACKET_CALLBACK(ssh_packet_exist_status1){
 
 
 int channel_write1(ssh_channel channel, const void *data, int len) {
-  ssh_session session = channel->session;
+  ssh_session session;
   int origlen = len;
   int effectivelen;
   const unsigned char *ptr=data;
+
+  if (channel == NULL) {
+    return -1;
+  }
+  session = channel->session;
+
   while (len > 0) {
     if (buffer_add_u8(session->out_buffer, SSH_CMSG_STDIN_DATA) < 0) {
       return -1;
@@ -314,6 +362,11 @@ int channel_write1(ssh_channel channel, const void *data, int len) {
 
 ssh_channel ssh_get_channel1(ssh_session session){
   struct ssh_iterator *it;
+
+  if (session == NULL) {
+    return NULL;
+  }
+
   /* With SSH1, the channel is always the first one */
   if(session->channels != NULL){
     it = ssh_list_get_iterator(session->channels);
author	Andreas Schneider <asn@cryptomilk.org>	2012-10-07 22:01:48 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2013-01-10 13:55:12 +0100
commit	ba231d0844d424f48b6dc4c04b3109a0175d0733 (patch)
tree	da1e135152e89d0cf4d5beb3594f07b4f1b705e2
parent	6da817aa47e6fd4b8e4bd5d1579c1451d3cd3308 (diff)
download	libssh-ba231d0844d424f48b6dc4c04b3109a0175d0733.tar.gz libssh-ba231d0844d424f48b6dc4c04b3109a0175d0733.tar.xz libssh-ba231d0844d424f48b6dc4c04b3109a0175d0733.zip