diff options
author | Christian Beier <dontmind@freeshell.org> | 2018-10-21 20:52:04 +0200 |
---|---|---|
committer | Christian Beier <dontmind@freeshell.org> | 2018-10-21 20:52:04 +0200 |
commit | ca2a5ac02fbbadd0a21fabba779c1ea69173d10b (patch) | |
tree | c4b29180428b67df23cf2e66826c44b0484af66b | |
parent | 502821828ed00b4a2c4bef90683d0fd88ce495de (diff) | |
download | libtdevnc-ca2a5ac02fbbadd0a21fabba779c1ea69173d10b.tar.gz libtdevnc-ca2a5ac02fbbadd0a21fabba779c1ea69173d10b.zip |
tightvnc-filetransfer: fix heap use-after-free
One can only guess what the intended semantics were here, but as every
other rfbCloseClient() call in this file is followed by an immediate
return, let's assume this was forgotton in this case.
Anyway, don't forget to clean up to not leak memory.
Closes #241
-rw-r--r-- | libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index c511eed..0473783 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) "FileDownloadCancelMsg\n", __FILE__, __FUNCTION__); rfbCloseClient(cl); + free(reason); + return; } rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:" |