log: fixes legacy fallback for multiple sessions.

Legacy code in 'ssh_set_callbacks' will fallback to
'ssh_legacy_log_callback' (if the current log cb is
NULL) setting the user data to the current session.

However, if any other session is created afterwards,
it won't update the user data with the new session,
potentially leading to a use-after-free.

Fixes #238.

Signed-off-by: Diego Roux <diegoroux04@protonmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

src/callbacks.c

@@ -45,6 +45,15 @@ static void ssh_legacy_log_callback(int priority,
     log_fn(session, priority, buffer, log_data);
 }
 
+void
+_ssh_remove_legacy_log_cb(void)
+{
+    if (ssh_get_log_callback() == ssh_legacy_log_callback) {
+        _ssh_reset_log_cb();
+        ssh_set_log_userdata(NULL);
+    }
+}
+
 int ssh_set_callbacks(ssh_session session, ssh_callbacks cb) {
   if (session == NULL || cb == NULL) {
     return SSH_ERROR;

src/log.c

@@ -221,6 +221,12 @@ int ssh_set_log_callback(ssh_logging_callback cb) {
   return SSH_OK;
 }
 
+void
+_ssh_reset_log_cb(void)
+{
+    ssh_log_cb = NULL;
+}
+
 ssh_logging_callback ssh_get_log_callback(void) {
   return ssh_log_cb;
 }

src/session.c

@@ -358,6 +358,8 @@ void ssh_free(ssh_session session)
       }
   }
 
+  _ssh_remove_legacy_log_cb();
+
   /* burn connection, it could contain sensitive data */
   explicit_bzero(session, sizeof(struct ssh_session_struct));
   SAFE_FREE(session);