simon-git: putty (pre-0.79): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sat Aug 19 10:30:25 BST 2023
TL;DR:
27f0140e Fix use-after-free on error returns from share_receive.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: pre-0.79
Committer: Simon Tatham <anakin at pobox.com>
Date: 2023-08-19 10:30:25
commit 27f0140e5c613ae7c92bd30401d03f8201e09553
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=27f0140e5c613ae7c92bd30401d03f8201e09553;hp=74820e9408b7a0bf2232fc833b76aa80e09e0c72
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Aug 19 09:59:01 2023 +0100
Fix use-after-free on error returns from share_receive.
Spotted by Coverity. If PuTTY is functioning as a sharing upstream,
and a new downstream mishandles the version string exchange in any way
that provokes an error message from share_receive() (such as failing
to start the greeting with the expected protocol-name string), we were
calling share_disconnect() and then going to crFinish. But
share_disconnect is capable of actually freeing the entire
ssh_sharing_connstate which contains the coroutine state - in which
case, crFinish's zeroing out of crLine is a use-after-free.
The usual pattern elsewhere in this code is to exit a coroutine with
an ordinary 'return' when you've destroyed its state structure. Switch
to doing that here.
ssh/sharing.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
More information about the tartarus-commits
mailing list