зеркало из https://github.com/github/putty.git
Check the return value from ssh2_transport_filter_queue!
I carefully made it return a bool to indicate that the whole PPL had been freed, and then never actually checked that return value, so any kind of connection-fatal event inside filter_queue (such as reporting a DISCONNECT message) would cause a reference to freed memory on return.
This commit is contained in:
Simon Tatham
Родитель
58fd58d64c
Коммит
804ac21381
|
|
@ -408,7 +408,8 @@ static bool ssh2_transport_filter_queue(struct ssh2_transport_state *s)
|
||||||
|
|
||||||
PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
|
PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
|
||||||
{
|
{
|
||||||
ssh2_transport_filter_queue(s);
|
if (ssh2_transport_filter_queue(s))
|
||||||
|
return NULL; /* we've been freed */
|
||||||
return pq_pop(s->ppl.in_pq);
|
return pq_pop(s->ppl.in_pq);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -988,7 +989,8 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||||
* from, even if we're _not_ looping on pq_pop. That way we can
|
* from, even if we're _not_ looping on pq_pop. That way we can
|
||||||
* still proactively handle those messages even if we're waiting
|
* still proactively handle those messages even if we're waiting
|
||||||
* for a user response. */
|
* for a user response. */
|
||||||
ssh2_transport_filter_queue(s);
|
if (ssh2_transport_filter_queue(s))
|
||||||
|
return; /* we've been freed */
|
||||||
|
|
||||||
crBegin(s->crState);
|
crBegin(s->crState);
|
||||||
|
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче