session BUGFIX freeing invalid multi-channel SSH sessions
Fixes cesnet/netopeer2#518
diff --git a/src/session.c b/src/session.c
index 92eeb85..3b1ec98 100644
--- a/src/session.c
+++ b/src/session.c
@@ -796,14 +796,20 @@
}
/* change nc_sshcb_msg() argument, we need a RUNNING session and this one will be freed */
if (session->flags & NC_SESSION_SSH_MSG_CB) {
- for (siter = session->ti.libssh.next; siter->status != NC_STATUS_RUNNING; siter = siter->ti.libssh.next) {
+ siter = session->ti.libssh.next;
+ while (siter && siter->status != NC_STATUS_RUNNING) {
if (siter->ti.libssh.next == session) {
ERRINT;
break;
}
+ siter = siter->ti.libssh.next;
}
+ /* siter may be NULL in case all the sessions terminated at the same time (socket was disconnected),
+ * we set session to NULL because we do not expect any new message to arrive */
ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, siter);
- siter->flags |= NC_SESSION_SSH_MSG_CB;
+ if (siter) {
+ siter->flags |= NC_SESSION_SSH_MSG_CB;
+ }
}
}
diff --git a/src/session_server_ssh.c b/src/session_server_ssh.c
index 3069ae6..899f8b3 100644
--- a/src/session_server_ssh.c
+++ b/src/session_server_ssh.c
@@ -1130,11 +1130,11 @@
}
VRB("Received an SSH message \"%s\" of subtype \"%s\".", str_type, str_subtype);
- if ((session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
+ if (!session || (session->status == NC_STATUS_CLOSING) || (session->status == NC_STATUS_INVALID)) {
/* "valid" situation if, for example, receiving some auth or channel request timeouted,
* but we got it now, during session free */
VRB("SSH message arrived on a %s session, the request will be denied.",
- (session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
+ (session && session->status == NC_STATUS_CLOSING ? "closing" : "invalid"));
ssh_message_reply_default(msg);
return 0;
}