Mercurial > dropbear
diff svr-chansession.c @ 654:818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
the original_command into chansess struct since that makes more sense
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sun, 04 Dec 2011 05:31:25 +0800 |
| parents | 306a907d23e7 |
| children | 16af1decaf4c |
line wrap: on
line diff
--- a/svr-chansession.c Sun Dec 04 05:27:57 2011 +0800 +++ b/svr-chansession.c Sun Dec 04 05:31:25 2011 +0800 @@ -217,6 +217,8 @@ struct ChanSess *chansess; + TRACE(("new chansess %p", channel)) + dropbear_assert(channel->typedata == NULL); chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess)); @@ -279,6 +281,10 @@ m_free(chansess->cmd); m_free(chansess->term); +#ifdef ENABLE_SVR_PUBKEY_OPTIONS + m_free(chansess->original_command); +#endif + if (chansess->tty) { /* write the utmp/wtmp login record */ li = chansess_login_alloc(chansess); @@ -924,10 +930,8 @@ } #ifdef ENABLE_SVR_PUBKEY_OPTIONS - if (ses.authstate.pubkey_options && - ses.authstate.pubkey_options->original_command) { - addnewvar("SSH_ORIGINAL_COMMAND", - ses.authstate.pubkey_options->original_command); + if (chansess->original_command) { + addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command); } #endif