socket: Fix potential buffer overrun

If nread is < 0 and no exception callback is set, the following code block would cause a buffer overrun. Signed-off-by: Tilo Eckert <tilo.eckert@flam.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-15 10:37:20 +01:00 · 2018-11-15 10:37:20 +01:00 · 0b9e07fbdc
--- a/src/socket.c
+++ b/src/socket.c
@ -270,12 +270,8 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p,
                s->callbacks->exception(SSH_SOCKET_EXCEPTION_ERROR,
                                        s->last_errno,
                                        s->callbacks->userdata);
-
-                /* p may have been freed, so don't use it
-                 * anymore in this function */
-                p = NULL;
-                return -2;
            }
+            return -2;
        }
        if (nread == 0) {
            if (p != NULL) {
@ -288,12 +284,8 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p,
                s->callbacks->exception(SSH_SOCKET_EXCEPTION_EOF,
                                        0,
                                        s->callbacks->userdata);
-
-                /* p may have been freed, so don't use it
-                 * anymore in this function */
-                p = NULL;
-                return -2;
            }
+            return -2;
        }

        if (s->session->socket_counter != NULL) {