From 8960992267881c84914e5ca4b9f72aafa063eabd Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Sun, 21 Jun 2009 22:30:28 +0200
Subject: Fixed yet another read-after-free bug

read of a buffer len after free in sftp_write()
---
 libssh/sftp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libssh/sftp.c')

diff --git a/libssh/sftp.c b/libssh/sftp.c
index fde88533..9776c3d0 100644
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -1681,6 +1681,7 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) {
   BUFFER *buffer;
   u32 id;
   int len;
+  int packetlen;
 
   buffer = buffer_new();
   if (buffer == NULL) {
@@ -1704,12 +1705,12 @@ ssize_t sftp_write(SFTP_FILE *file, const void *buf, size_t count) {
     return -1;
   }
   string_free(datastring);
-
+  packetlen=buffer_get_len(buffer);
   len = sftp_packet_write(file->sftp, SSH_FXP_WRITE, buffer);
   buffer_free(buffer);
   if (len < 0) {
     return -1;
-  } else  if ((u32) len != buffer_get_len(buffer)) {
+  } else  if (len != packetlen) {
     ssh_log(sftp->session, SSH_LOG_PACKET,
         "Could not write as much data as expected");
   }
-- 
cgit v1.2.3