Clean up downstream sockets when upstream loses its SSH connection.

If the real SSH connection goes away and we call sharestate_free with
downstreams still active, then that in turn calls share_connstate_free
on all those downstreams, freeing the things their sockets are using
as Plugs but not actually closing the sockets, so further data coming
in from downstream gives rise to a use-after-free bug.

(Thanks to Timothe Litt for a great deal of help debugging this.)

diff --git a/sshshare.c b/sshshare.c
index 2b2f69a914f736d3605741f73050d30cdfd4615a..1c0e3cba8f64f41a6748a8e6a935739e7cd42076 100644 (file)
--- a/sshshare.c
+++ b/sshshare.c
@@ -502,6 +502,9 @@ static void share_connstate_free(struct ssh_sharing_connstate *cs)
         sfree(globreq);
     }
 
+    if (cs->sock)
+        sk_close(cs->sock);
+
     sfree(cs);
 }