diff options
| author | Jon Simons <jon@jonsimons.org> | 2014-01-15 13:50:15 -0800 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2014-01-16 09:27:55 +0100 |
| commit | cf19770edec83dea6207960d655e07682aa4cce7 (patch) | |
| tree | d9ef6fb9f99be18aa95e23040cdc454094177f07 /src/error.c | |
| parent | 7f42f5a3c9a89918065b7be7f69f2f07d67c7696 (diff) | |
bind: fix possible double-frees in ssh_bind_free
Make sure to explicitly set key pointers to NULL following the use
of 'ssh_key_free' throughout bind.c.
Before this change, a double free can happen via 'ssh_bind_free'
as in this example callpath:
// create an ssh_bind
ssh_bind b = ssh_bind_new();
// provide a path to a wrong key-type
ssh_bind_options_set(b, SSH_BIND_OPTIONS_DSAKEY, path_to_rsa_key);
// initialize set key-type
ssh_bind_listen(b);
-> error path "The DSA host key has the wrong type: %d",
ssh_key_free(sshbind->dsa)
-> ssh_key_clean(key) // OK
-> SAFE_FREE(key) // OK, but, sshbind->dsa is *not* set to NULL
// ssh_bind_listen failed, so clean up ssh_bind
ssh_bind_free(b);
-> ssh_key_free(sshbind->dsa) // double-free here
To fix, set pointers to NULL that have been free'd with 'ssh_key_free'.
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/error.c')
0 files changed, 0 insertions, 0 deletions