[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.

Subject: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.
From: Vic Lee <llyzs@xxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Wed, 20 Jan 2010 00:23:47 +0800
To: libssh <libssh@xxxxxxxxxx>

Hi,

I recently encounter some occasional crashes when trying to use channel
request stuff. It turned out that in function
handle_channel_request_open(), a variable 'type' is freed but then used
in later codes, which causes unexpected result, sometimes double-freed
and crash, but if you are lucky sometimes things won't happen.

I will consider this bug a very critical one because this will make the
function handle_channel_request_open() very unstable, affecting both
server side (all channel requests) and client side (x11 and
forward-listen requests)

I found this in v0-4 branch, please help me to check master as well...

Thanks,

Vic

From 71fd5b4d079c044e48c3050f0952262e4cd7ef1b Mon Sep 17 00:00:00 2001
From: Vic Lee <llyzs@xxxxxxx>
Date: Wed, 20 Jan 2010 00:13:52 +0800
Subject: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.


Signed-off-by: Vic Lee <llyzs@xxxxxxx>
---
 libssh/messages.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/libssh/messages.c b/libssh/messages.c
index 2b60dfd..fc1624c 100644
--- a/libssh/messages.c
+++ b/libssh/messages.c
@@ -319,7 +319,6 @@ static ssh_message handle_channel_request_open(ssh_session session) {
 
   ssh_log(session, SSH_LOG_PACKET,
       "Clients wants to open a %s channel", type_c);
-  string_free(type);
 
   buffer_get_u32(session->in_buffer, &sender);
   buffer_get_u32(session->in_buffer, &window);
@@ -331,6 +330,7 @@ static ssh_message handle_channel_request_open(ssh_session session) {
 
   if (strcmp(type_c,"session") == 0) {
     msg->channel_request_open.type = SSH_CHANNEL_SESSION;
+    string_free(type);
     SAFE_FREE(type_c);
     leave_function();
     return msg;
@@ -370,6 +370,7 @@ static ssh_message handle_channel_request_open(ssh_session session) {
     msg->channel_request_open.originator_port = ntohl(originator_port);
 
     msg->channel_request_open.type = SSH_CHANNEL_DIRECT_TCPIP;
+    string_free(type);
     SAFE_FREE(type_c);
     leave_function();
     return msg;
@@ -409,6 +410,7 @@ static ssh_message handle_channel_request_open(ssh_session session) {
     msg->channel_request_open.originator_port = ntohl(originator_port);
 
     msg->channel_request_open.type = SSH_CHANNEL_FORWARDED_TCPIP;
+    string_free(type);
     SAFE_FREE(type_c);
     leave_function();
     return msg;
@@ -432,12 +434,14 @@ static ssh_message handle_channel_request_open(ssh_session session) {
     msg->channel_request_open.originator_port = ntohl(originator_port);
 
     msg->channel_request_open.type = SSH_CHANNEL_X11;
+    string_free(type);
     SAFE_FREE(type_c);
     leave_function();
     return msg;
   }
 
   msg->channel_request_open.type = SSH_CHANNEL_UNKNOWN;
+  string_free(type);
   SAFE_FREE(type_c);
 
   leave_function();
-- 
1.6.5

Follow-Ups:
Re: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.	Aris Adamantiadis <aris@xxxxxxxxxxxx>
Re: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.	Vic Lee <llyzs@xxxxxxx>

Archive administrator: postmaster@lists.cynapses.org