From 133ff7fb94934ff7857a23aea35892561968f1b7 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Thu, 15 Aug 2013 06:42:36 +0000
Subject: [PATCH] Sebastian Kuschel reports that pfd_closing can be called for
 a socket error with pr->c NULL, in which case calling sshfwd_unclean_close on
 it will dereference NULL and segfault. Write an alternative error handling
 path for that possibility.

(I don't know if it's the only way, but one way this can happen is if
you're doing dynamic forwarding and the socket error occurs during
SOCKS negotiation, in which case no SSH channel has been set up yet
because we haven't yet found out what we want to put in the
direct-tcpip channel open message.)


git-svn-id: svn://svn.tartarus.org/sgt/putty@10018 cda61777-01e9-0310-a592-d414129be87e
---
 portfwd.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/portfwd.c b/portfwd.c
index 264198fb..00cff5ee 100644
--- a/portfwd.c
+++ b/portfwd.c
@@ -87,7 +87,17 @@ static int pfd_closing(Plug plug, const char *error_msg, int error_code,
         /*
          * Socket error. Slam the connection instantly shut.
          */
-        sshfwd_unclean_close(pr->c);
+        if (pr->c) {
+            sshfwd_unclean_close(pr->c);
+        } else {
+            /*
+             * We might not have an SSH channel, if a socket error
+             * occurred during SOCKS negotiation. If not, we must
+             * clean ourself up without sshfwd_unclean_close's call
+             * back to pfd_close.
+             */
+            pfd_close(pr->s);
+        }
     } else {
         /*
          * Ordinary EOF received on socket. Send an EOF on the SSH
-- 
2.11.0