aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAris Adamantiadis <aris@0xbadc0de.be>2009-06-21 22:30:28 +0200
committerAndreas Schneider <mail@cynapses.org>2009-06-23 09:13:15 +0200
commit918a912cd56dcac81feea2c52348cdc24b1468cf (patch)
tree201dda2285870312c21d0dd74100d6a523d81742
parent7ba81b974ef45ac78620c1ec5140c81f84b6f06f (diff)
downloadlibssh-918a912cd56dcac81feea2c52348cdc24b1468cf.tar.gz
libssh-918a912cd56dcac81feea2c52348cdc24b1468cf.tar.xz
libssh-918a912cd56dcac81feea2c52348cdc24b1468cf.zip
Fixed yet another read-after-free bug
read of a buffer len after free in sftp_write()
-rw-r--r--libssh/sftp.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libssh/sftp.c b/libssh/sftp.c
index fde88533..9776c3d0 100644
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -1681,6 +1681,7 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) {
BUFFER *buffer;
u32 id;
int len;
+ int packetlen;
buffer = buffer_new();
if (buffer == NULL) {
@@ -1704,12 +1705,12 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) {
return -1;
}
string_free(datastring);
-
+ packetlen=buffer_get_len(buffer);
len = sftp_packet_write(file->sftp, SSH_FXP_WRITE, buffer);
buffer_free(buffer);
if (len < 0) {
return -1;
- } else if ((u32) len != buffer_get_len(buffer)) {
+ } else if (len != packetlen) {
ssh_log(sftp->session, SSH_LOG_PACKET,
"Could not write as much data as expected");
}