diff options
author | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-06-21 22:30:28 +0200 |
---|---|---|
committer | Andreas Schneider <mail@cynapses.org> | 2009-06-23 09:13:15 +0200 |
commit | 918a912cd56dcac81feea2c52348cdc24b1468cf (patch) | |
tree | 201dda2285870312c21d0dd74100d6a523d81742 | |
parent | 7ba81b974ef45ac78620c1ec5140c81f84b6f06f (diff) | |
download | libssh-918a912cd56dcac81feea2c52348cdc24b1468cf.tar.gz libssh-918a912cd56dcac81feea2c52348cdc24b1468cf.tar.xz libssh-918a912cd56dcac81feea2c52348cdc24b1468cf.zip |
Fixed yet another read-after-free bug
read of a buffer len after free in sftp_write()
-rw-r--r-- | libssh/sftp.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/libssh/sftp.c b/libssh/sftp.c index fde88533..9776c3d0 100644 --- a/libssh/sftp.c +++ b/libssh/sftp.c @@ -1681,6 +1681,7 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) { BUFFER *buffer; u32 id; int len; + int packetlen; buffer = buffer_new(); if (buffer == NULL) { @@ -1704,12 +1705,12 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) { return -1; } string_free(datastring); - + packetlen=buffer_get_len(buffer); len = sftp_packet_write(file->sftp, SSH_FXP_WRITE, buffer); buffer_free(buffer); if (len < 0) { return -1; - } else if ((u32) len != buffer_get_len(buffer)) { + } else if (len != packetlen) { ssh_log(sftp->session, SSH_LOG_PACKET, "Could not write as much data as expected"); } |