diff options
author | Jon Simons <jon@jonsimons.org> | 2014-01-30 18:30:41 -0800 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2014-02-02 22:21:07 +0100 |
commit | 785682ac2816149e838038e4591e9bd0ab0b6944 (patch) | |
tree | b543558231a9c497f266466065df07c443f0a61d | |
parent | f29f10876a3801a83af064f14f250c1a8d9c08a0 (diff) | |
download | libssh-785682ac2816149e838038e4591e9bd0ab0b6944.tar.gz libssh-785682ac2816149e838038e4591e9bd0ab0b6944.tar.xz libssh-785682ac2816149e838038e4591e9bd0ab0b6944.zip |
socket: fix read of non-connected socket
Ensure to check whether the socket at hand is indeed still connected
throughout POLLIN processing in ssh_socket_pollcallback.
Before this change, the POLLIN block in ssh_socket_pollcallback is
predicated against the condition (s->state == SSH_SOCKET_CONNECTED).
Once entered, data from the socket is consumed through the data
callback in this loop:
do {
r = s->callbacks->data(buffer_get_rest(s->in_buffer),
buffer_get_rest_len(s->in_buffer),
s->callbacks->userdata);
buffer_pass_bytes(s->in_buffer,r);
} while (r > 0);
However, it is possible for the socket data callback to change the
state of the socket (closing it, for example). Fix the loop to only
continue so long as the socket remains connected: this also entails
setting the ssh_socket state to SSH_SOCKET_CLOSED upon close.
The bug can be observed before the change by sending a bogus banner
to the server: 'echo -e "A\r\nB\r\n" | nc localhost 22'. Each of
'A' and 'B' will be processed by 'callback_receive_banner', even
though the client socket is closed after rejection of 'A'.
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | src/socket.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/socket.c b/src/socket.c index 8e5a75cf..affc6eb7 100644 --- a/src/socket.c +++ b/src/socket.c @@ -291,7 +291,7 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r buffer_get_rest_len(s->in_buffer), s->callbacks->userdata); buffer_pass_bytes(s->in_buffer,r); - } while (r > 0); + } while ((r > 0) && (s->state == SSH_SOCKET_CONNECTED)); /* p may have been freed, so don't use it * anymore in this function */ p = NULL; @@ -440,6 +440,8 @@ void ssh_socket_close(ssh_socket s){ ssh_poll_free(s->poll_out); s->poll_out=NULL; } + + s->state = SSH_SOCKET_CLOSED; } /** |