aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJon Simons <jon@jonsimons.org>2014-01-30 18:30:41 -0800
committerAndreas Schneider <asn@cryptomilk.org>2014-02-02 22:21:07 +0100
commit785682ac2816149e838038e4591e9bd0ab0b6944 (patch)
treeb543558231a9c497f266466065df07c443f0a61d
parentf29f10876a3801a83af064f14f250c1a8d9c08a0 (diff)
downloadlibssh-785682ac2816149e838038e4591e9bd0ab0b6944.tar.gz
libssh-785682ac2816149e838038e4591e9bd0ab0b6944.tar.xz
libssh-785682ac2816149e838038e4591e9bd0ab0b6944.zip
socket: fix read of non-connected socket
Ensure to check whether the socket at hand is indeed still connected throughout POLLIN processing in ssh_socket_pollcallback. Before this change, the POLLIN block in ssh_socket_pollcallback is predicated against the condition (s->state == SSH_SOCKET_CONNECTED). Once entered, data from the socket is consumed through the data callback in this loop: do { r = s->callbacks->data(buffer_get_rest(s->in_buffer), buffer_get_rest_len(s->in_buffer), s->callbacks->userdata); buffer_pass_bytes(s->in_buffer,r); } while (r > 0); However, it is possible for the socket data callback to change the state of the socket (closing it, for example). Fix the loop to only continue so long as the socket remains connected: this also entails setting the ssh_socket state to SSH_SOCKET_CLOSED upon close. The bug can be observed before the change by sending a bogus banner to the server: 'echo -e "A\r\nB\r\n" | nc localhost 22'. Each of 'A' and 'B' will be processed by 'callback_receive_banner', even though the client socket is closed after rejection of 'A'. Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/socket.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/socket.c b/src/socket.c
index 8e5a75cf..affc6eb7 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -291,7 +291,7 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r
buffer_get_rest_len(s->in_buffer),
s->callbacks->userdata);
buffer_pass_bytes(s->in_buffer,r);
- } while (r > 0);
+ } while ((r > 0) && (s->state == SSH_SOCKET_CONNECTED));
/* p may have been freed, so don't use it
* anymore in this function */
p = NULL;
@@ -440,6 +440,8 @@ void ssh_socket_close(ssh_socket s){
ssh_poll_free(s->poll_out);
s->poll_out=NULL;
}
+
+ s->state = SSH_SOCKET_CLOSED;
}
/**