tests: Remove tests of operations on freed channels

These tests are flaky because even though the care was taken to guess if the ssh_channel_free() really freed the channel, it might not always be correct and call to operation on the freed channel results in use after free. Generally, no operation should be called after the channel is freed by the user. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-04 12:20:42 +09:00 · 2025-07-30 11:18:45 +02:00
parent e7cffe7e1b
commit ef50a3c0f0
1 changed files with 0 additions and 97 deletions
--- a/tests/client/torture_session.c
+++ b/tests/client/torture_session.c
@@ -321,51 +321,6 @@ static void torture_freed_channel_poll(void **state)
    assert_int_equal(rc, SSH_ERROR);
 }

-/* Ensure that calling 'ssh_channel_poll_timeout' on a freed channel does not
- * lead to segmentation faults. */
-static void torture_freed_channel_poll_timeout(void **state)
-{
-    struct torture_state *s = *state;
-    ssh_session session = s->ssh.session;
-    ssh_channel channel;
-    bool channel_freed = false;
-    char request[256];
-    char buff[256] = {0};
-    int rc;
-
-    snprintf(request, 256,
-             "dd if=/dev/urandom of=/tmp/file bs=64000 count=2; hexdump -C /tmp/file");
-
-    channel = ssh_channel_new(session);
-    assert_non_null(channel);
-
-    rc = ssh_channel_open_session(channel);
-    assert_ssh_return_code(session, rc);
-
-    /* Make the request, read parts with close */
-    rc = ssh_channel_request_exec(channel, request);
-    assert_ssh_return_code(session, rc);
-
-    do {
-        rc = ssh_channel_read(channel, buff, 256, 0);
-    } while(rc > 0);
-    assert_ssh_return_code(session, rc);
-
-    /* when either of these conditions is met the call to ssh_channel_free will
-     * actually free the channel so calling poll on that channel will be
-     * use-after-free */
-    if ((channel->flags & SSH_CHANNEL_FLAG_CLOSED_REMOTE) ||
-        (channel->flags & SSH_CHANNEL_FLAG_NOT_BOUND)) {
-        channel_freed = true;
-    }
-    ssh_channel_free(channel);
-
-    if (!channel_freed) {
-        rc = ssh_channel_poll_timeout(channel, 500, 0);
-        assert_int_equal(rc, SSH_ERROR);
-    }
-}
-
 /* Ensure that calling 'ssh_channel_read_nonblocking' on a freed channel does
 * not lead to segmentation faults. */
 static void torture_freed_channel_read_nonblocking(void **state)
@@ -461,52 +416,6 @@ static void torture_channel_exit_signal(void **state)
    SAFE_FREE(exit_signal);
 }

-
-/* Ensure that calling 'ssh_channel_get_exit_status' on a freed channel does not
- * lead to segmentation faults. */
-static void torture_freed_channel_get_exit_status(void **state)
-{
-    struct torture_state *s = *state;
-    ssh_session session = s->ssh.session;
-    ssh_channel channel;
-    bool channel_freed = false;
-    char request[256];
-    char buff[256] = {0};
-    int rc;
-
-    snprintf(request, 256,
-             "dd if=/dev/urandom of=/tmp/file bs=64000 count=2; hexdump -C /tmp/file");
-
-    channel = ssh_channel_new(session);
-    assert_non_null(channel);
-
-    rc = ssh_channel_open_session(channel);
-    assert_ssh_return_code(session, rc);
-
-    /* Make the request, read parts with close */
-    rc = ssh_channel_request_exec(channel, request);
-    assert_ssh_return_code(session, rc);
-
-    do {
-        rc = ssh_channel_read(channel, buff, 256, 0);
-    } while(rc > 0);
-    assert_ssh_return_code(session, rc);
-
-    /* when either of these conditions is met the call to ssh_channel_free will
-     * actually free the channel so calling poll on that channel will be
-     * use-after-free */
-    if ((channel->flags & SSH_CHANNEL_FLAG_CLOSED_REMOTE) ||
-        (channel->flags & SSH_CHANNEL_FLAG_NOT_BOUND)) {
-        channel_freed = true;
-    }
-    SSH_CHANNEL_FREE(channel);
-
-    if (!channel_freed) {
-        rc = ssh_channel_get_exit_status(channel);
-        assert_ssh_return_code_equal(session, rc, SSH_ERROR);
-    }
-}
-
 static void
 torture_channel_read_stderr(void **state)
 {
@@ -611,9 +520,6 @@ int torture_run_tests(void) {
        cmocka_unit_test_setup_teardown(torture_freed_channel_poll,
                                        session_setup,
                                        session_teardown),
-        cmocka_unit_test_setup_teardown(torture_freed_channel_poll_timeout,
-                                        session_setup,
-                                        session_teardown),
        cmocka_unit_test_setup_teardown(torture_freed_channel_read_nonblocking,
                                        session_setup,
                                        session_teardown),
@@ -623,9 +529,6 @@ int torture_run_tests(void) {
        cmocka_unit_test_setup_teardown(torture_channel_exit_signal,
                                        session_setup,
                                        session_teardown),
-        cmocka_unit_test_setup_teardown(torture_freed_channel_get_exit_status,
-                                        session_setup,
-                                        session_teardown),
        cmocka_unit_test_setup_teardown(torture_channel_read_stderr,
                                        session_setup,
                                        session_teardown),