CVE-2025-5449 sftpserver: Avoid NULL dereference for invalid handles

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

src/sftpserver.c

@@ -961,7 +961,7 @@ process_read(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, handle);
-    if (h->type == SFTP_FILE_HANDLE) {
+    if (h != NULL && h->type == SFTP_FILE_HANDLE) {
         fd = h->fd;
     }
 
@@ -1019,7 +1019,7 @@ process_write(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, handle);
-    if (h->type == SFTP_FILE_HANDLE) {
+    if (h != NULL && h->type == SFTP_FILE_HANDLE) {
         fd = h->fd;
     }
     if (fd < 0) {
@@ -1064,7 +1064,11 @@ process_close(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, handle);
-    if (h->type == SFTP_FILE_HANDLE) {
+    if (h == NULL) {
+        SSH_LOG(SSH_LOG_PROTOCOL, "invalid handle");
+        sftp_reply_status(client_msg, SSH_FX_INVALID_HANDLE, "Invalid handle");
+        return SSH_OK;
+    } else if (h->type == SFTP_FILE_HANDLE) {
         int fd = h->fd;
         close(fd);
         ret = SSH_OK;
@@ -1232,7 +1236,7 @@ process_readdir(sftp_client_message client_msg)
                     ssh_string_len(handle));
 
     h = sftp_handle(sftp, client_msg->handle);
-    if (h->type == SFTP_DIR_HANDLE) {
+    if (h != NULL && h->type == SFTP_DIR_HANDLE) {
         dir = h->dirp;
         handle_name = h->name;
     }