generic-library/ssh2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent sftp_packet_read accessing freed memory.

Browse Source 
sftp_packet_add takes ownership of the packet passed to it and (now that we
handle zombies) might free the packet.  sftp_packet_read uses the packet type
byte as its return code but by this point sftp_packet_add might have freed
it.  This change fixes the problem by caching the packet type before calling
sftp_packet_add.

I don't understand why sftp_packet_read uses the packet type as its return
code.  A future change might get rid of this entirely.
This commit is contained in:
Alexander Lamaison
2012-05-13 15:56:54 +01:00
parent 27ac5aa40d
commit b583311a93
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/sftp.c
View File

@@ -292,6 +292,7 @@ sftp_packet_read(LIBSSH2_SFTP *sftp)
unsigned char *packet = NULL;
ssize_t rc;
unsigned long recv_window;
int packet_type;
_libssh2_debug(session, LIBSSH2_TRACE_SFTP, "recv packet");
@@ -400,13 +401,17 @@ sftp_packet_read(LIBSSH2_SFTP *sftp)
sftp->partial_packet = NULL;
/* sftp_packet_add takes ownership of the packet and might free it
so we take a copy of the packet type before we call it. */
packet_type = packet[0];
rc = sftp_packet_add(sftp, packet, sftp->partial_len);
if (rc) {
LIBSSH2_FREE(session, packet);
return rc;
}
return packet[0];
else {
return packet_type;
}
}
/* WON'T REACH */
}