From b5351f2809140921076ef54cc6092b543b5199d2 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 31 Aug 2011 16:15:20 +0300
Subject: poll: resolve use-after-free + inconsistent callbacks call

This code was weird in the first place. I suspect my change will break something else
(probably the appcode that needed it). ssh_poll_ctx_free is not a good
place to send exception callbacks imho.
---
 src/poll.c | 21 +++------------------
 1 file changed, 3 insertions(+), 18 deletions(-)

(limited to 'src')

diff --git a/src/poll.c b/src/poll.c
index 4fb63ad8..70a6fdb7 100644
--- a/src/poll.c
+++ b/src/poll.c
@@ -443,24 +443,9 @@ ssh_poll_ctx ssh_poll_ctx_new(size_t chunk_size) {
  */
 void ssh_poll_ctx_free(ssh_poll_ctx ctx) {
   if (ctx->polls_allocated > 0) {
-    register size_t i, used;
-
-    used = ctx->polls_used;
-    for (i = 0; i < used; ) {
-      ssh_poll_handle p = ctx->pollptrs[i];
-      socket_t fd = ctx->pollfds[i].fd;
-
-      /* force poll object removal */
-      if (p->cb && p->cb(p, fd, POLLERR, p->cb_data) < 0) {
-        if(ctx->polls_used < used) {
-            used = ctx->polls_used;
-        } else {
-            /* nothing to do */
-            i++;
-        }
-      } else {
-        i++;
-      }
+    while (ctx->polls_used > 0){
+      ssh_poll_handle p = ctx->pollptrs[0];
+      ssh_poll_ctx_remove(ctx, p);
     }
 
     SAFE_FREE(ctx->pollptrs);
-- 
cgit v1.2.3