session BUGFIX freeing invalid multi-channel SSH sessions

michalvasko · michalvasko · commit 5e0edd892aee · 2020-07-29T15:26:13.000+02:00
Fixes CESNET/netopeer2#518
diff --git a/src/session.c b/src/session.c
@@ -796,14 +796,20 @@ nc_session_free(struct nc_session *session, void (*data_free)(void *))
             }
             /* change nc_sshcb_msg() argument, we need a RUNNING session and this one will be freed */
             if (session->flags & NC_SESSION_SSH_MSG_CB) {
-                for (siter = session->ti.libssh.next; siter->status != NC_STATUS_RUNNING; siter = siter->ti.libssh.next) {
+                siter = session->ti.libssh.next;
+                while (siter && siter->status != NC_STATUS_RUNNING) {
                     if (siter->ti.libssh.next == session) {
                         ERRINT;
                         break;
                     }
+                    siter = siter->ti.libssh.next;
                 }
+                /* siter may be NULL in case all the sessions terminated at the same time (socket was disconnected),
+                 * we set session to NULL because we do not expect any new message to arrive */
                 ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, siter);
-                siter->flags |= NC_SESSION_SSH_MSG_CB;
+                if (siter) {
+                    siter->flags |= NC_SESSION_SSH_MSG_CB;
+                }
             }
         }
 
diff --git a/src/session_server_ssh.c b/src/session_server_ssh.c
@@ -1130,11 +1130,11 @@ nc_sshcb_msg(ssh_session UNUSED(sshsession), ssh_message msg, void *data)
     }
 
     VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);
-    if ((session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
+    if (!session || (session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
         /* "valid" situation if, for example, receiving some auth or channel request timeouted,
          * but we got it now, during session free */
         VRB("SSH message arrived on a %s session, the request will be denied.",
-            (session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
+            (session && session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
         ssh_message_reply_default(msg);
         return 0;
     }

Original file line number	Diff line number	Diff line change
`@@ -796,14 +796,20 @@ nc_session_free(struct nc_session session, void (data_free)(void *))`
`796`	`796`	`}`
`797`	`797`	`/* change nc_sshcb_msg() argument, we need a RUNNING session and this one will be freed */`
`798`	`798`	`if (session->flags & NC_SESSION_SSH_MSG_CB) {`
`799`		`- for (siter = session->ti.libssh.next; siter->status != NC_STATUS_RUNNING; siter = siter->ti.libssh.next) {`
	`799`	`+ siter = session->ti.libssh.next;`
	`800`	`+ while (siter && siter->status != NC_STATUS_RUNNING) {`
`800`	`801`	`if (siter->ti.libssh.next == session) {`
`801`	`802`	`ERRINT;`
`802`	`803`	`break;`
`803`	`804`	`}`
	`805`	`+ siter = siter->ti.libssh.next;`
`804`	`806`	`}`
	`807`	`+ /* siter may be NULL in case all the sessions terminated at the same time (socket was disconnected),`
	`808`	`+ * we set session to NULL because we do not expect any new message to arrive */`
`805`	`809`	`ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, siter);`
`806`		`- siter->flags \|= NC_SESSION_SSH_MSG_CB;`
	`810`	`+ if (siter) {`
	`811`	`+ siter->flags \|= NC_SESSION_SSH_MSG_CB;`
	`812`	`+ }`
`807`	`813`	`}`
`808`	`814`	`}`
`809`	`815`
Original file line number	Diff line number	Diff line change
`@@ -1130,11 +1130,11 @@ nc_sshcb_msg(ssh_session UNUSED(sshsession), ssh_message msg, void *data)`
`1130`	`1130`	`}`
`1131`	`1131`
`1132`	`1132`	`VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);`
`1133`		`- if ((session->status == NC_STATUS_CLOSING) \|\| (session->status == NC_STATUS_INVALID)) {`
	`1133`	`+ if (!session \|\| (session->status == NC_STATUS_CLOSING) \|\| (session->status == NC_STATUS_INVALID)) {`
`1134`	`1134`	`/* "valid" situation if, for example, receiving some auth or channel request timeouted,`
`1135`	`1135`	`* but we got it now, during session free */`
`1136`	`1136`	`VRB("SSH message arrived on a %s session, the request will be denied.",`
`1137`		`- (session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));`
	`1137`	`+ (session && session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));`
`1138`	`1138`	`ssh_message_reply_default(msg);`
`1139`	`1139`	`return 0;`
`1140`	`1140`	`}`