[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] In handle_channel_request_open(), variable type is freed too early and cause memory corruptions.


Vic Lee a écrit :
> Hi,
> 
> I recently encounter some occasional crashes when trying to use channel
> request stuff. It turned out that in function
> handle_channel_request_open(), a variable 'type' is freed but then used
> in later codes, which causes unexpected result, sometimes double-freed
> and crash, but if you are lucky sometimes things won't happen.
> 
> I will consider this bug a very critical one because this will make the
> function handle_channel_request_open() very unstable, affecting both
> server side (all channel requests) and client side (x11 and
> forward-listen requests)
> 
> I found this in v0-4 branch, please help me to check master as well...
> 
> Thanks,
> 
> Vic
> 
Thanks for your patch.

I will check on the master branch. I remember having reworked that code
(it's funny I did not see the problem), maybe I have corrected it.
Moreover, a double free is a security problem. If it is easy to
reproduce, we may have to do a security release.

Aris

Archive administrator: postmaster@lists.cynapses.org