diff options
author | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-06-21 19:25:51 +0200 |
---|---|---|
committer | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-06-21 19:25:51 +0200 |
commit | bab8508eba16ffc7a2c1ff6c93c1d4384ae44066 (patch) | |
tree | 1ead8724b306469bd625d6745d70610a60c83901 /libssh/client.c | |
parent | 77cd4795c56550f32a4146389799892ffe2986b0 (diff) | |
download | libssh-bab8508eba16ffc7a2c1ff6c93c1d4384ae44066.tar.gz libssh-bab8508eba16ffc7a2c1ff6c93c1d4384ae44066.tar.xz libssh-bab8508eba16ffc7a2c1ff6c93c1d4384ae44066.zip |
Fix doublefree bug found by Cyril
Diffstat (limited to 'libssh/client.c')
-rw-r--r-- | libssh/client.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/libssh/client.c b/libssh/client.c index 6255845..941fd0e 100644 --- a/libssh/client.c +++ b/libssh/client.c @@ -221,6 +221,7 @@ static int dh_handshake(SSH_SESSION *session) { } string_burn(e); string_free(e); + e=NULL; rc = packet_send(session); if (rc == SSH_ERROR) { @@ -261,7 +262,7 @@ static int dh_handshake(SSH_SESSION *session) { } string_burn(f); string_free(f); - + f=NULL; signature = buffer_get_ssh_string(session->in_buffer); if (signature == NULL) { ssh_set_error(session, SSH_FATAL, "No signature in packet"); @@ -332,13 +333,14 @@ static int dh_handshake(SSH_SESSION *session) { /* forget it for now ... */ string_burn(signature); string_free(signature); - + signature=NULL; /* * Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and * current_crypto */ if (session->current_crypto) { crypto_free(session->current_crypto); + session->current_crypto=NULL; } /* FIXME later, include a function to change keys */ @@ -364,14 +366,22 @@ static int dh_handshake(SSH_SESSION *session) { /* not reached */ error: - string_burn(e); - string_free(e); - string_burn(f); - string_free(f); - string_burn(pubkey); - string_free(pubkey); - string_burn(signature); - string_free(signature); + if(e != NULL){ + string_burn(e); + string_free(e); + } + if(f != NULL){ + string_burn(f); + string_free(f); + } + if(pubkey != NULL){ + string_burn(pubkey); + string_free(pubkey); + } + if(signature != NULL){ + string_burn(signature); + string_free(signature); + } leave_function(); return rc; |