aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2012-10-07 22:01:48 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-10-07 22:01:48 +0200
commitb811b89f57ec167612948e688d75015f85b9c8f4 (patch)
tree849b3b765d2f18e76e2a8ed32adf241b2c2920d1 /src
parent3db2ac41eb85a82d017bd60295a71b8cc9dfbecb (diff)
downloadlibssh-b811b89f57ec167612948e688d75015f85b9c8f4.tar.gz
libssh-b811b89f57ec167612948e688d75015f85b9c8f4.tar.xz
libssh-b811b89f57ec167612948e688d75015f85b9c8f4.zip
channels1: Fix severa possible null pointer dereferences.
Diffstat (limited to 'src')
-rw-r--r--src/channels1.c66
1 files changed, 60 insertions, 6 deletions
diff --git a/src/channels1.c b/src/channels1.c
index 9ba5866e..583755a8 100644
--- a/src/channels1.c
+++ b/src/channels1.c
@@ -50,11 +50,17 @@
*/
int channel_open_session1(ssh_channel chan) {
+ ssh_session session;
+
+ if (chan == NULL) {
+ return -1;
+ }
+ session = chan->session;
+
/*
* We guess we are requesting an *exec* channel. It can only have one exec
* channel. So we abort with an error if we need more than one.
*/
- ssh_session session = chan->session;
if (session->exec_channel_opened) {
ssh_set_error(session, SSH_REQUEST_DENIED,
"SSH1 supports only one execution channel. "
@@ -84,8 +90,14 @@ int channel_open_session1(ssh_channel chan) {
int channel_request_pty_size1(ssh_channel channel, const char *terminal, int col,
int row) {
- ssh_session session = channel->session;
+ ssh_session session;
ssh_string str = NULL;
+
+ if (channel == NULL) {
+ return SSH_ERROR;
+ }
+ session = channel->session;
+
if(channel->request_state != SSH_CHANNEL_REQ_STATE_NONE){
ssh_set_error(session,SSH_REQUEST_DENIED,"Wrong request state");
return SSH_ERROR;
@@ -143,7 +155,13 @@ int channel_request_pty_size1(ssh_channel channel, const char *terminal, int col
}
int channel_change_pty_size1(ssh_channel channel, int cols, int rows) {
- ssh_session session = channel->session;
+ ssh_session session;
+
+ if (channel == NULL) {
+ return SSH_ERROR;
+ }
+ session = channel->session;
+
if(channel->request_state != SSH_CHANNEL_REQ_STATE_NONE){
ssh_set_error(session,SSH_REQUEST_DENIED,"Wrong request state");
return SSH_ERROR;
@@ -186,7 +204,12 @@ int channel_change_pty_size1(ssh_channel channel, int cols, int rows) {
}
int channel_request_shell1(ssh_channel channel) {
- ssh_session session = channel->session;
+ ssh_session session;
+
+ if (channel == NULL) {
+ return -1;
+ }
+ session = channel->session;
if (buffer_add_u8(session->out_buffer,SSH_CMSG_EXEC_SHELL) < 0) {
return -1;
@@ -202,9 +225,14 @@ int channel_request_shell1(ssh_channel channel) {
}
int channel_request_exec1(ssh_channel channel, const char *cmd) {
- ssh_session session = channel->session;
+ ssh_session session;
ssh_string command = NULL;
+ if (channel == NULL) {
+ return -1;
+ }
+ session = channel->session;
+
command = ssh_string_from_char(cmd);
if (command == NULL) {
return -1;
@@ -231,6 +259,11 @@ SSH_PACKET_CALLBACK(ssh_packet_data1){
ssh_string str = NULL;
int is_stderr=(type==SSH_SMSG_STDOUT_DATA ? 0 : 1);
(void)user;
+
+ if (channel == NULL) {
+ return SSH_PACKET_NOT_USED;
+ }
+
str = buffer_get_ssh_string(packet);
if (str == NULL) {
ssh_log(session, SSH_LOG_FUNCTIONS, "Invalid data packet !\n");
@@ -256,6 +289,11 @@ SSH_PACKET_CALLBACK(ssh_packet_close1){
uint32_t status;
(void)type;
(void)user;
+
+ if (channel == NULL) {
+ return SSH_PACKET_NOT_USED;
+ }
+
buffer_get_u32(packet, &status);
/*
* It's much more than a channel closing. spec says it's the last
@@ -277,6 +315,11 @@ SSH_PACKET_CALLBACK(ssh_packet_exist_status1){
uint32_t status;
(void)type;
(void)user;
+
+ if (channel == NULL) {
+ return SSH_PACKET_NOT_USED;
+ }
+
buffer_get_u32(packet, &status);
channel->state = SSH_CHANNEL_STATE_CLOSED;
channel->remote_eof = 1;
@@ -287,10 +330,16 @@ SSH_PACKET_CALLBACK(ssh_packet_exist_status1){
int channel_write1(ssh_channel channel, const void *data, int len) {
- ssh_session session = channel->session;
+ ssh_session session;
int origlen = len;
int effectivelen;
const unsigned char *ptr=data;
+
+ if (channel == NULL) {
+ return -1;
+ }
+ session = channel->session;
+
while (len > 0) {
if (buffer_add_u8(session->out_buffer, SSH_CMSG_STDIN_DATA) < 0) {
return -1;
@@ -318,6 +367,11 @@ int channel_write1(ssh_channel channel, const void *data, int len) {
ssh_channel ssh_get_channel1(ssh_session session){
struct ssh_iterator *it;
+
+ if (session == NULL) {
+ return NULL;
+ }
+
/* With SSH1, the channel is always the first one */
if(session->channels != NULL){
it = ssh_list_get_iterator(session->channels);