simon-git: putty (pre-0.83): Simon Tatham

[Commits to Tartarus hosted VCS]

TL;DR:
  ec158a2e Pageant: call signop_unlink from signop_free.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: pre-0.83
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2025-01-18 11:59:25

commit ec158a2e19c9f81b3676e157652d93955789f423
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ec158a2e19c9f81b3676e157652d93955789f423;hp=19798515df5db3151370e331ca1312bb39fadf16
Author: Simon Tatham <anakin at pobox.com>
Date:   Sat Jan 18 11:03:24 2025 +0000

    Pageant: call signop_unlink from signop_free.
    
    A user reported that the following sequence of events leads to Pageant
    crashing:
    
     - load an encrypted key into Pageant for decryption later
     - attempt to use the key, so that Pageant prompts for the passphrase
     - before entering the passphrase, abort the attempt to use the
       key (e.g. by closing the PuTTY that was trying to use it)
     - now enter the passphrase at the Pageant prompt, once the need for
       it has gone away.
    
    Once the key is decrypted, unblock_requests_for_key() goes through the
    linked list of blocked PageantSignOp attached to the private key
    record it's just decrypted, and tries to unblock them. The
    PageantSignOp belonging to the aborted Pageant request is still linked
    on that list, which it shouldn't be, because it's also been freed by
    pageant_unregister_client when that traversed the separate linked list
    of PageantAsyncOp associated with that client connection. So the
    private key's list of blocked requests contained a stale pointer.
    
    Now PageantSignOp's implementation of the PageantAsyncOp free method
    makes sure to unlink the signop from any list it's on before freeing
    it.

 pageant.c | 1 +
 1 file changed, 1 insertion(+)