aboutsummaryrefslogtreecommitdiff
path: root/libssh/sftp.c
diff options
context:
space:
mode:
authorAris Adamantiadis <aris@0xbadc0de.be>2009-06-21 22:30:28 +0200
committerAris Adamantiadis <aris@0xbadc0de.be>2009-06-21 22:30:28 +0200
commit8960992267881c84914e5ca4b9f72aafa063eabd (patch)
tree5cc7ed05e137ca6aa5061eb0c8dfca7ea88c0249 /libssh/sftp.c
parent730af24de8dba66b80407e83caabaa424d4f89b2 (diff)
downloadlibssh-8960992267881c84914e5ca4b9f72aafa063eabd.tar.gz
libssh-8960992267881c84914e5ca4b9f72aafa063eabd.tar.xz
libssh-8960992267881c84914e5ca4b9f72aafa063eabd.zip
Fixed yet another read-after-free bug
read of a buffer len after free in sftp_write()
Diffstat (limited to 'libssh/sftp.c')
-rw-r--r--libssh/sftp.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libssh/sftp.c b/libssh/sftp.c
index fde88533..9776c3d0 100644
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -1681,6 +1681,7 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) {
BUFFER *buffer;
u32 id;
int len;
+ int packetlen;
buffer = buffer_new();
if (buffer == NULL) {
@@ -1704,12 +1705,12 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) {
return -1;
}
string_free(datastring);
-
+ packetlen=buffer_get_len(buffer);
len = sftp_packet_write(file->sftp, SSH_FXP_WRITE, buffer);
buffer_free(buffer);
if (len < 0) {
return -1;
- } else if ((u32) len != buffer_get_len(buffer)) {
+ } else if (len != packetlen) {
ssh_log(sftp->session, SSH_LOG_PACKET,
"Could not write as much data as expected");
}