socket: do not free poll object if it is locked

As it may a cause a use after free if `send` fails when ssh_poll_ctx_dopoll does its callback ssh_poll_ctx_dopoll still wants to use the poll object later Signed-off-by: Philippe Antoine <p.antoine@catenacyber.fr> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> (cherry picked from commit c99261437f)
2026-02-12 03:00:26 +09:00 · 2025-07-23 14:37:45 +02:00
parent 65f363c9e3
commit 3a28fbe5c6
3 changed files with 16 additions and 1 deletions
--- a/src/poll.c
+++ b/src/poll.c
@@ -669,6 +669,20 @@ void ssh_poll_ctx_remove(ssh_poll_ctx ctx, ssh_poll_handle p)
  }
 }

+/**
+ * @brief  Returns if a poll object is locked.
+ *
+ * @param  p            Pointer to an already allocated poll object.
+ * @returns true if the poll object is locked; false otherwise.
+ */
+bool ssh_poll_is_locked(ssh_poll_handle p)
+{
+    if (p == NULL) {
+        return false;
+    }
+    return p->lock_cnt > 0;
+}
+
 /**
 * @brief  Poll all the sockets associated through a poll object with a
 *         poll context. If any of the events are set after the poll, the
--- a/src/socket.c
+++ b/src/socket.c
@@ -478,7 +478,7 @@ void ssh_socket_close(ssh_socket s)
 #endif
    }

-    if (s->poll_handle != NULL) {
+    if (s->poll_handle != NULL && !ssh_poll_is_locked(s->poll_handle)) {
        ssh_poll_free(s->poll_handle);
        s->poll_handle = NULL;
    }