diff options
author | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-06-21 22:30:28 +0200 |
---|---|---|
committer | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-06-21 22:30:28 +0200 |
commit | 8960992267881c84914e5ca4b9f72aafa063eabd (patch) | |
tree | 5cc7ed05e137ca6aa5061eb0c8dfca7ea88c0249 | |
parent | 730af24de8dba66b80407e83caabaa424d4f89b2 (diff) | |
download | libssh-8960992267881c84914e5ca4b9f72aafa063eabd.tar.gz libssh-8960992267881c84914e5ca4b9f72aafa063eabd.tar.xz libssh-8960992267881c84914e5ca4b9f72aafa063eabd.zip |
Fixed yet another read-after-free bug
read of a buffer len after free in sftp_write()
-rw-r--r-- | libssh/sftp.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/libssh/sftp.c b/libssh/sftp.c index fde88533..9776c3d0 100644 --- a/libssh/sftp.c +++ b/libssh/sftp.c @@ -1681,6 +1681,7 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) { BUFFER *buffer; u32 id; int len; + int packetlen; buffer = buffer_new(); if (buffer == NULL) { @@ -1704,12 +1705,12 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) { return -1; } string_free(datastring); - + packetlen=buffer_get_len(buffer); len = sftp_packet_write(file->sftp, SSH_FXP_WRITE, buffer); buffer_free(buffer); if (len < 0) { return -1; - } else if ((u32) len != buffer_get_len(buffer)) { + } else if (len != packetlen) { ssh_log(sftp->session, SSH_LOG_PACKET, "Could not write as much data as expected"); } |