diff options
author | Vic Lee <llyzs@163.com> | 2010-01-20 00:13:52 +0800 |
---|---|---|
committer | Andreas Schneider <mail@cynapses.org> | 2010-01-29 18:51:50 +0100 |
commit | 4768cf3e8523d3b432128a35a5cfae045c073edb (patch) | |
tree | 8260e17dd0b92b8f8e188b99f6d1d91d81cf9b0e | |
parent | 5a95681f01be1872a3c7711898fbce00b219c4c6 (diff) | |
download | libssh-4768cf3e8523d3b432128a35a5cfae045c073edb.tar.gz libssh-4768cf3e8523d3b432128a35a5cfae045c073edb.tar.xz libssh-4768cf3e8523d3b432128a35a5cfae045c073edb.zip |
In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.
Signed-off-by: Vic Lee <llyzs@163.com>
Signed-off-by: Andreas Schneider <mail@cynapses.org>
-rw-r--r-- | libssh/messages.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libssh/messages.c b/libssh/messages.c index 2b60dfdd..fc1624c0 100644 --- a/libssh/messages.c +++ b/libssh/messages.c @@ -319,7 +319,6 @@ static ssh_message handle_channel_request_open(ssh_session session) { ssh_log(session, SSH_LOG_PACKET, "Clients wants to open a %s channel", type_c); - string_free(type); buffer_get_u32(session->in_buffer, &sender); buffer_get_u32(session->in_buffer, &window); @@ -331,6 +330,7 @@ static ssh_message handle_channel_request_open(ssh_session session) { if (strcmp(type_c,"session") == 0) { msg->channel_request_open.type = SSH_CHANNEL_SESSION; + string_free(type); SAFE_FREE(type_c); leave_function(); return msg; @@ -370,6 +370,7 @@ static ssh_message handle_channel_request_open(ssh_session session) { msg->channel_request_open.originator_port = ntohl(originator_port); msg->channel_request_open.type = SSH_CHANNEL_DIRECT_TCPIP; + string_free(type); SAFE_FREE(type_c); leave_function(); return msg; @@ -409,6 +410,7 @@ static ssh_message handle_channel_request_open(ssh_session session) { msg->channel_request_open.originator_port = ntohl(originator_port); msg->channel_request_open.type = SSH_CHANNEL_FORWARDED_TCPIP; + string_free(type); SAFE_FREE(type_c); leave_function(); return msg; @@ -432,12 +434,14 @@ static ssh_message handle_channel_request_open(ssh_session session) { msg->channel_request_open.originator_port = ntohl(originator_port); msg->channel_request_open.type = SSH_CHANNEL_X11; + string_free(type); SAFE_FREE(type_c); leave_function(); return msg; } msg->channel_request_open.type = SSH_CHANNEL_UNKNOWN; + string_free(type); SAFE_FREE(type_c); leave_function(); |