#268: [PATCH]Field accessed after dealloc causing error on Windows
-------------------------------------------+--------------------
Reporter: Jens | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 1.4.3
Component: API | Version: 1.4.2
Keywords: Dump Free _RtlpBreakPointHeap | Blocked By:
Blocks: |
-------------------------------------------+--------------------
On Windows:
Freeing a forward channel is causing an error.
Unfortunately the error does not occure at the position where it is
caused. It occurs on a new allocation or sometimes freeing of objects it
is pretty random.
The last point in the call stack is usaly this:
ntdll.dll!_RtlpBreakPointHeap_at_4
Reason for the defect:
As already pointed out by Gregory Moltchadski in Ticket Number 257(
however he made just a small remark to this error, which must be forgotten
to solve) a field is accessed after a structure was deallocated.
In channel.c:
In function int _libssh2_channel_forward_cancel(LIBSSH2_LISTENER
*listener):
AT THE END:
{{{
_libssh2_list_remove(&listener->node);
LIBSSH2_FREE(session, listener);
listener->chanFwdCncl_state = libssh2_NB_state_idle;
return 0;
}
}}}
The field chanFwdCncl_state is set but listener was released before.
To set this field is pretty much senseless, since the object is
deallocated anyway, however I would just swap the Free Statement and the
assignment.
Solution:
{{{
_libssh2_list_remove(&listener->node);
listener->chanFwdCncl_state = libssh2_NB_state_idle;
LIBSSH2_FREE(session, listener);
return 0;
}
}}}
-- Ticket URL: <https://trac.libssh2.org/ticket/268> libssh2 <https://trac.libssh2.org/> C library for writing portable SSH2 clients _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-develReceived on 2013-08-12