From 0b9e07fbdc789b839f489ae52f1ddfeb07c12e9c Mon Sep 17 00:00:00 2001
From: Tilo Eckert <tilo.eckert@flam.de>
Date: Thu, 15 Nov 2018 10:37:20 +0100
Subject: [PATCH] socket: Fix potential buffer overrun

If nread is < 0 and no exception callback is set,
the following code block would cause a buffer overrun.

Signed-off-by: Tilo Eckert <tilo.eckert@flam.de>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/socket.c | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/src/socket.c b/src/socket.c
index 8c3e68ec..6012c46e 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -270,12 +270,8 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p,
                 s->callbacks->exception(SSH_SOCKET_EXCEPTION_ERROR,
                                         s->last_errno,
                                         s->callbacks->userdata);
-
-                /* p may have been freed, so don't use it
-                 * anymore in this function */
-                p = NULL;
-                return -2;
             }
+            return -2;
         }
         if (nread == 0) {
             if (p != NULL) {
@@ -288,12 +284,8 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p,
                 s->callbacks->exception(SSH_SOCKET_EXCEPTION_EOF,
                                         0,
                                         s->callbacks->userdata);
-
-                /* p may have been freed, so don't use it
-                 * anymore in this function */
-                p = NULL;
-                return -2;
             }
+            return -2;
         }
 
         if (s->session->socket_counter != NULL) {