From e5fb20c17b3412cc2fcad60c8fba81fa7d9a2bc8 Mon Sep 17 00:00:00 2001
From: Oliver Stöneberg <oliverst@online.de>
Date: Wed, 4 May 2011 09:20:15 -0700
Subject: socket: Fixed use-after-free.

When s->callbacks->exception() was called in ssh_socket_pollcallback()
we had a use after free bug.
(cherry picked from commit 986676378943353cdcf156493812737dc91befdd)
---
 src/socket.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/socket.c b/src/socket.c
index f3da4280..5d92b6c9 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -253,6 +253,9 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r
 				s->callbacks->exception(
 						SSH_SOCKET_EXCEPTION_ERROR,
 						s->last_errno,s->callbacks->userdata);
+                /* p may have been freed, so don't use it
+                 * anymore in this function */
+                p = NULL;
 			}
 		}
 		if(r==0){
@@ -266,6 +269,9 @@ int ssh_socket_pollcallback(struct ssh_poll_handle_struct *p, socket_t fd, int r
 				s->callbacks->exception(
 						SSH_SOCKET_EXCEPTION_EOF,
 						0,s->callbacks->userdata);
+                /* p may have been freed, so don't use it
+                 * anymore in this function */
+                p = NULL;
 			}
 		}
 		if(r>0){
-- 
cgit