Fixed two potential use-after-frees of the payload buffer
The first might occur if _libssh2_packet_add returns an error, as fullpacket_state wasn't reset to idle so if it were possible for fullpacket to be called again, it would return to the same state handler and re-use the freed p->packet buffer. The second could occur if decrypt returned an error, as it freed the packet buffer but did not clear total_num, meaning that freed buffer could be written into again later.
Этот коммит содержится в:
Dan Fandrich
родитель
88366b5ec2
Коммит
5559ad8fe1
@ -241,8 +241,12 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
|
|||||||
rc = _libssh2_packet_add(session, p->payload,
|
rc = _libssh2_packet_add(session, p->payload,
|
||||||
session->fullpacket_payload_len,
|
session->fullpacket_payload_len,
|
||||||
session->fullpacket_macstate);
|
session->fullpacket_macstate);
|
||||||
if (rc)
|
if (rc == LIBSSH2_ERROR_EAGAIN)
|
||||||
return rc;
|
return rc;
|
||||||
|
if (rc) {
|
||||||
|
session->fullpacket_state = libssh2_NB_state_idle;
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
session->fullpacket_state = libssh2_NB_state_idle;
|
session->fullpacket_state = libssh2_NB_state_idle;
|
||||||
@ -524,6 +528,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
|
|||||||
/* now decrypt the lot */
|
/* now decrypt the lot */
|
||||||
rc = decrypt(session, &p->buf[p->readidx], p->wptr, numdecrypt);
|
rc = decrypt(session, &p->buf[p->readidx], p->wptr, numdecrypt);
|
||||||
if (rc != LIBSSH2_ERROR_NONE) {
|
if (rc != LIBSSH2_ERROR_NONE) {
|
||||||
|
p->total_num = 0; /* no packet buffer available */
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Загрузка…
x
Ссылка в новой задаче
Block a user