[hotssh] gssh: Aovid potential use-after-free

From: Colin Walters <walters src gnome org>
To: commits-list gnome org
Cc:
Subject: [hotssh] gssh: Aovid potential use-after-free
Date: Tue, 26 Nov 2013 14:42:22 +0000 (UTC)

commit d2cdf7adb8235fe31d1278b97d12b1c5708433d7
Author: Colin Walters <walters verbum org>
Date:   Tue Nov 26 09:24:43 2013 -0500

    gssh: Aovid potential use-after-free
    
    If we return an error, the app may unref the object, so we need to
    emit state changes, and free any memory just before doing the task
    return.

 libgssh/gssh-connection.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)
---
diff --git a/libgssh/gssh-connection.c b/libgssh/gssh-connection.c
index 518872c..d74e84b 100644
--- a/libgssh/gssh-connection.c
+++ b/libgssh/gssh-connection.c
@@ -459,8 +459,8 @@ gssh_connection_iteration_internal (GSshConnection   *self,
           }
         else if (rc == SSH_AUTH_SUCCESS)
           {
-            return_task_success_and_clear (&self->negotiate_task);
             state_transition (self, GSSH_CONNECTION_STATE_CONNECTED);
+            return_task_success_and_clear (&self->negotiate_task);
             goto repeat;
           }
         else if (rc == SSH_AUTH_ERROR)
@@ -587,15 +587,15 @@ gssh_connection_iteration_internal (GSshConnection   *self,
             gs_free char *msg = g_strdup_printf ("Failed to authenticate via mechanism '%s'",
                                                  gssh_connection_auth_mechanism_to_string 
(self->current_authmech));
             _gssh_set_error_from_libssh (error, msg, self->session);
-            return_task_error_and_clear (&self->auth_task, local_error);
             g_clear_pointer (&self->password, g_free);
+            return_task_error_and_clear (&self->auth_task, local_error);
           }
         else if (rc == SSH_AUTH_DENIED)
           {
             g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
                                  "Authentication failed");
-            return_task_error_and_clear (&self->auth_task, local_error);
             g_clear_pointer (&self->password, g_free);
+            return_task_error_and_clear (&self->auth_task, local_error);
           }
         else if (rc == SSH_AUTH_PARTIAL)
           {
@@ -605,8 +605,8 @@ gssh_connection_iteration_internal (GSshConnection   *self,
           }
         else
           {
-            return_task_success_and_clear (&self->auth_task);
             state_transition (self, GSSH_CONNECTION_STATE_CONNECTED);
+            return_task_success_and_clear (&self->auth_task);
             goto repeat;
           }
         break;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]