WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix double-free on `wolfSSH_SFTPNAME_readdir` 

The filename of the `WS_SFTPNAME` could be freed in this function upon
an error, but it is not set to `NULL`, so when
`wolfSSH_SFTPNAME_free` is called, a double-free occurs.

Found when working on ZD 16290.
pull/806/head
Andrew Hutchings 2025-05-21 15:34:29 +01:00
parent e0a1bdd9c4
commit e515ea9dc8
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/wolfsftp.c
View File

@ -3228,12 +3228,16 @@ static int wolfSSH_SFTPNAME_readdir(WOLFSSH* ssh, WDIR* dir, WS_SFTPNAME* out,
>= (int)sizeof(r)) {
WLOG(WS_LOG_SFTP, "Path length too large");
WFREE(out->fName, out->heap, DYNTYPE_SFTP);
out->fName = NULL;
out->fSz = 0;
return WS_FATAL_ERROR;
}
if (wolfSSH_RealPath(ssh->sftpDefaultPath, r, s, sizeof(s)) < 0) {
WFREE(out->fName, out->heap, DYNTYPE_SFTP);
WLOG(WS_LOG_SFTP, "Error cleaning path to get attributes");
out->fName = NULL;
out->fSz = 0;
return WS_FATAL_ERROR;
}
@ -3248,6 +3252,8 @@ static int wolfSSH_SFTPNAME_readdir(WOLFSSH* ssh, WDIR* dir, WS_SFTPNAME* out,
if (SFTP_CreateLongName(out) != WS_SUCCESS) {
WLOG(WS_LOG_DEBUG, "Error creating long name for %s", out->fName);
WFREE(out->fName, out->heap, DYNTYPE_SFTP);
out->fName = NULL;
out->fSz = 0;
return WS_FATAL_ERROR;
}