Skip to content

Commit e515ea9

Browse files
LinuxJediLinuxJedi
committed
Fix double-free on wolfSSH_SFTPNAME_readdir
The filename of the `WS_SFTPNAME` could be freed in this function upon an error, but it is not set to `NULL`, so when `wolfSSH_SFTPNAME_free` is called, a double-free occurs. Found when working on ZD 16290.
1 parent e0a1bdd commit e515ea9

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

src/wolfsftp.c

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3228,12 +3228,16 @@ static int wolfSSH_SFTPNAME_readdir(WOLFSSH* ssh, WDIR* dir, WS_SFTPNAME* out,
32283228
>= (int)sizeof(r)) {
32293229
WLOG(WS_LOG_SFTP, "Path length too large");
32303230
WFREE(out->fName, out->heap, DYNTYPE_SFTP);
3231+
out->fName = NULL;
3232+
out->fSz = 0;
32313233
return WS_FATAL_ERROR;
32323234
}
32333235

32343236
if (wolfSSH_RealPath(ssh->sftpDefaultPath, r, s, sizeof(s)) < 0) {
32353237
WFREE(out->fName, out->heap, DYNTYPE_SFTP);
32363238
WLOG(WS_LOG_SFTP, "Error cleaning path to get attributes");
3239+
out->fName = NULL;
3240+
out->fSz = 0;
32373241
return WS_FATAL_ERROR;
32383242
}
32393243

@@ -3248,6 +3252,8 @@ static int wolfSSH_SFTPNAME_readdir(WOLFSSH* ssh, WDIR* dir, WS_SFTPNAME* out,
32483252
if (SFTP_CreateLongName(out) != WS_SUCCESS) {
32493253
WLOG(WS_LOG_DEBUG, "Error creating long name for %s", out->fName);
32503254
WFREE(out->fName, out->heap, DYNTYPE_SFTP);
3255+
out->fName = NULL;
3256+
out->fSz = 0;
32513257
return WS_FATAL_ERROR;
32523258
}
32533259

@@ -3976,7 +3982,7 @@ int wolfSSH_SFTP_RecvClose(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
39763982
if (sz == sizeof(WFD)) {
39773983
WMEMSET((byte*)&fd, 0, sizeof(WFD));
39783984
WMEMCPY((byte*)&fd, data + idx, sz);
3979-
3985+
39803986
#ifdef MICROCHIP_MPLAB_HARMONY
39813987
ret = WFCLOSE(ssh->fs, &fd);
39823988
#else
@@ -5003,7 +5009,7 @@ int SFTP_GetAttributes(void* fs, const char* fileName, WS_SFTP_FILEATRB* atr,
50035009
{
50045010
WOLFSSH_UNUSED(heap);
50055011
WOLFSSH_UNUSED(fs);
5006-
5012+
50075013
return SFTP_GetAttributesHelper(atr, fileName);
50085014
}
50095015

@@ -5028,7 +5034,7 @@ int SFTP_GetAttributes_Handle(WOLFSSH* ssh, byte* handle, int handleSz,
50285034
WLOG(WS_LOG_SFTP, "Unknown handle");
50295035
return WS_BAD_FILE_E;
50305036
}
5031-
5037+
50325038
return SFTP_GetAttributesHelper(atr, cur->name);
50335039
}
50345040

@@ -8844,7 +8850,7 @@ int wolfSSH_SFTP_Get(WOLFSSH* ssh, char* from,
88448850
if (state->gOfst[0] > 0 || state->gOfst[1] > 0)
88458851
ret = WFOPEN(ssh->fs, &state->fl, to, WOLFSSH_O_APPEND);
88468852
else
8847-
ret = WFOPEN(ssh->fs, &state->fl, to, WOLFSSH_O_WRONLY);
8853+
ret = WFOPEN(ssh->fs, &state->fl, to, WOLFSSH_O_WRONLY);
88488854
#elif defined(USE_WINDOWS_API)
88498855
{
88508856
DWORD desiredAccess = GENERIC_WRITE;

0 commit comments

Comments
 (0)