- djm@cvs.openbsd.org 2010/11/23 23:57:24

     [clientloop.c]
     avoid NULL deref on receiving a channel request on an unknown or invalid
     channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@

2 files changed, 6 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index de1fb753d..39d88701a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,10 @@
      [auth.c]
      use strict_modes already passed as function argument over referencing
      global options.strict_modes
+   - djm@cvs.openbsd.org 2010/11/23 23:57:24
+     [clientloop.c]
+     avoid NULL deref on receiving a channel request on an unknown or invalid
+     channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@
 
 20101124
  - (dtucker) [platform.c session.c] Move the getluid call out of session.c and
diff --git a/clientloop.c b/clientloop.c
index 076386cc2..91eea8562 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.225 2010/11/21 01:01:13 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.226 2010/11/23 23:57:24 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1933,7 +1933,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
                 }
                 packet_check_eom();
         }
-        if (reply) {
+        if (reply && c != NULL) {
                 packet_start(success ?
                     SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
                 packet_put_int(c->remote_id);