Ticket #130 (closed defect)

Opened 8 years ago

Last modified 8 years ago

Dangling pointer in file_read_publickey

Reported by: anonymous Owned by: bagder
Priority: normal Milestone:
Component: Version:
Keywords: Cc: bagder
Blocked By: Blocks:


Memory for public key in userauth.c:file_read_publickey() is allocated to (pubkey), then on line 548 pointer is saved to (*method), then in case of failure in libssh2_base64_decode() original pointer in (pubkey) is freed on line 562, leaving dangling pointer in (*method). When session is closed in session.c:session_free() on line 854 it will try to free memory again which may lead to crash. Moving '*method = pubkey' after libssh2_base64_decode in file_read_publickey could fix this problem.

Change History

comment:1 Changed 8 years ago by bagder

I can only agree. If you tell me your name I'll give you the proper credit for having found this!

comment:2 Changed 8 years ago by sf-robot

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

Note: See TracTickets for help on using tickets.