Sebastian Kuschel reports that pfd_closing can be called for a socket

error with pr->c NULL, in which case calling sshfwd_unclean_close on it will dereference NULL and segfault. Write an alternative error handling path for that possibility. (I don't know if it's the only way, but one way this can happen is if you're doing dynamic forwarding and the socket error occurs during SOCKS negotiation, in which case no SSH channel has been set up yet because we haven't yet found out what we want to put in the direct-tcpip channel open message.) [originally from svn r10018]
2013-08-15 06:42:36 +00:00 · 2013-08-15 06:42:36 +00:00 · 883641845f
--- a/portfwd.c
+++ b/portfwd.c
@ -87,7 +87,17 @@ static int pfd_closing(Plug plug, const char *error_msg, int error_code,
        /*
         * Socket error. Slam the connection instantly shut.
         */
-        sshfwd_unclean_close(pr->c);
+        if (pr->c) {
+            sshfwd_unclean_close(pr->c);
+        } else {
+            /*
+             * We might not have an SSH channel, if a socket error
+             * occurred during SOCKS negotiation. If not, we must
+             * clean ourself up without sshfwd_unclean_close's call
+             * back to pfd_close.
+             */
+            pfd_close(pr->s);
+        }
    } else {
        /*
         * Ordinary EOF received on socket. Send an EOF on the SSH