Fixed two potential use-after-frees of the payload buffer

The first might occur if _libssh2_packet_add returns an error, as fullpacket_state wasn't reset to idle so if it were possible for fullpacket to be called again, it would return to the same state handler and re-use the freed p->packet buffer. The second could occur if decrypt returned an error, as it freed the packet buffer but did not clear total_num, meaning that freed buffer could be written into again later.
2014-02-18 23:38:23 +01:00 · 2014-02-18 23:38:23 +01:00 · 5559ad8fe1
--- a/src/transport.c
+++ b/src/transport.c
@ -241,8 +241,12 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
        rc = _libssh2_packet_add(session, p->payload,
                                 session->fullpacket_payload_len,
                                 session->fullpacket_macstate);
-        if (rc)
+        if (rc == LIBSSH2_ERROR_EAGAIN)
            return rc;
+        if (rc) {
+            session->fullpacket_state = libssh2_NB_state_idle;
+            return rc;
+        }
    }

    session->fullpacket_state = libssh2_NB_state_idle;
@ -524,6 +528,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
            /* now decrypt the lot */
            rc = decrypt(session, &p->buf[p->readidx], p->wptr, numdecrypt);
            if (rc != LIBSSH2_ERROR_NONE) {
+                p->total_num = 0;   /* no packet buffer available */
                return rc;
            }