Subject: [libssh2] memory corruption in sftp.c

[libssh2] memory corruption in sftp.c

From: Gutjahr, Troy <Troy.Gutjahr_at_tellabs.com>
Date: Thu, 14 Jun 2007 19:57:05 -0500

These statements at the end of libssh2_sftp_close_handle() seem like a
bug to me. You can't modify the memory to which handle points after you
free it, right?

LIBSSH2_FREE(session, handle->handle);
LIBSSH2_FREE(session, handle);

handle->close_state = libssh2_NB_state_idle;

Jim: What do you think?

By the way, I used the libumem.so.1 library of Solaris 9 to find this
bug. It's quite nifty. Here is some info about it:
http://access1.sun.com/techarticles/libumem.html .

-- Troy
============================================================
The information contained in this message may be privileged
and confidential and protected from disclosure. If the reader
of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any reproduction,
dissemination or distribution of this communication is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and
deleting it from your computer. Thank you. Tellabs
============================================================

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
libssh2-devel mailing list
libssh2-devel_at_lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
Received on 2007-06-15