Subject: [libssh2] memory corruption in sftp.c

[libssh2] memory corruption in sftp.c

From: Gutjahr, Troy <>
Date: Thu, 14 Jun 2007 19:57:05 -0500

These statements at the end of libssh2_sftp_close_handle() seem like a
bug to me. You can't modify the memory to which handle points after you
free it, right?

LIBSSH2_FREE(session, handle->handle);
LIBSSH2_FREE(session, handle);

handle->close_state = libssh2_NB_state_idle;

Jim: What do you think?

By the way, I used the library of Solaris 9 to find this
bug. It's quite nifty. Here is some info about it: .

-- Troy
The information contained in this message may be privileged
and confidential and protected from disclosure. If the reader
of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any reproduction,
dissemination or distribution of this communication is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and
deleting it from your computer. Thank you. Tellabs

This email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
libssh2-devel mailing list
Received on 2007-06-15