diff options
author | Oliver Stöneberg <oliverst@online.de> | 2011-05-04 09:20:15 -0700 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2011-05-17 14:19:51 +0200 |
commit | 986676378943353cdcf156493812737dc91befdd (patch) | |
tree | 03a13fd22c528fdb1f3e671024a9c70aeda6b4bc /src | |
parent | 32cd45612bd89714f5c597f6d9ac8c51510e3df4 (diff) | |
download | libssh-986676378943353cdcf156493812737dc91befdd.tar.gz libssh-986676378943353cdcf156493812737dc91befdd.tar.xz libssh-986676378943353cdcf156493812737dc91befdd.zip |
socket: Fixed use-after-free.
When s->callbacks->exception() was called in ssh_socket_pollcallback()
we had a use after free bug.
Diffstat (limited to 'src')
-rw-r--r-- | src/socket.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/socket.c b/src/socket.c index f3da4280..5d92b6c9 100644 --- a/src/socket.c +++ b/src/socket.c @@ -253,6 +253,9 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r s->callbacks->exception( SSH_SOCKET_EXCEPTION_ERROR, s->last_errno,s->callbacks->userdata); + /* p may have been freed, so don't use it + * anymore in this function */ + p = NULL; } } if(r==0){ @@ -266,6 +269,9 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r s->callbacks->exception( SSH_SOCKET_EXCEPTION_EOF, 0,s->callbacks->userdata); + /* p may have been freed, so don't use it + * anymore in this function */ + p = NULL; } } if(r>0){ |