summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Beier <dontmind@freeshell.org>2018-10-21 20:52:04 +0200
committerChristian Beier <dontmind@freeshell.org>2018-10-21 20:52:04 +0200
commitca2a5ac02fbbadd0a21fabba779c1ea69173d10b (patch)
treec4b29180428b67df23cf2e66826c44b0484af66b
parent502821828ed00b4a2c4bef90683d0fd88ce495de (diff)
downloadlibtdevnc-ca2a5ac02fbbadd0a21fabba779c1ea69173d10b.tar.gz
libtdevnc-ca2a5ac02fbbadd0a21fabba779c1ea69173d10b.zip
tightvnc-filetransfer: fix heap use-after-free
One can only guess what the intended semantics were here, but as every other rfbCloseClient() call in this file is followed by an immediate return, let's assume this was forgotton in this case. Anyway, don't forget to clean up to not leak memory. Closes #241
-rw-r--r--libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
index c511eed..0473783 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
@@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
"FileDownloadCancelMsg\n", __FILE__, __FUNCTION__);
rfbCloseClient(cl);
+ free(reason);
+ return;
}
rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:"