[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.
[Thread Prev] | [Thread Next]
- Subject: Re: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.
- From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Tue, 19 Jan 2010 18:12:40 +0100
- To: libssh@xxxxxxxxxx
Vic Lee a écrit : > Hi, > > I recently encounter some occasional crashes when trying to use channel > request stuff. It turned out that in function > handle_channel_request_open(), a variable 'type' is freed but then used > in later codes, which causes unexpected result, sometimes double-freed > and crash, but if you are lucky sometimes things won't happen. > > I will consider this bug a very critical one because this will make the > function handle_channel_request_open() very unstable, affecting both > server side (all channel requests) and client side (x11 and > forward-listen requests) > > I found this in v0-4 branch, please help me to check master as well... > > Thanks, > > Vic > Thanks for your patch. I will check on the master branch. I remember having reworked that code (it's funny I did not see the problem), maybe I have corrected it. Moreover, a double free is a security problem. If it is easy to reproduce, we may have to do a security release. Aris
| Re: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions. | Vic Lee <llyzs@xxxxxxx> |
| [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions. | Vic Lee <llyzs@xxxxxxx> |