From 5559ad8fe1cc41681744de41682025e8a625efa3 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Tue, 18 Feb 2014 23:38:23 +0100
Subject: [PATCH] Fixed two potential use-after-frees of the payload buffer

The first might occur if _libssh2_packet_add returns an error, as
fullpacket_state wasn't reset to idle so if it were possible for
fullpacket to be called again, it would return to the same state
handler and re-use the freed p->packet buffer.

The second could occur if decrypt returned an error, as it freed the
packet buffer but did not clear total_num, meaning that freed buffer
could be written into again later.
---
 src/transport.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/transport.c b/src/transport.c
index b4ec037..3cbd170 100644
--- a/src/transport.c
+++ b/src/transport.c
@@ -241,8 +241,12 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
         rc = _libssh2_packet_add(session, p->payload,
                                  session->fullpacket_payload_len,
                                  session->fullpacket_macstate);
-        if (rc)
+        if (rc == LIBSSH2_ERROR_EAGAIN)
             return rc;
+        if (rc) {
+            session->fullpacket_state = libssh2_NB_state_idle;
+            return rc;
+        }
     }
 
     session->fullpacket_state = libssh2_NB_state_idle;
@@ -524,6 +528,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
             /* now decrypt the lot */
             rc = decrypt(session, &p->buf[p->readidx], p->wptr, numdecrypt);
             if (rc != LIBSSH2_ERROR_NONE) {
+                p->total_num = 0;   /* no packet buffer available */
                 return rc;
             }