Sebastian Kuschel reports that pfd_closing can be called for a socket

error with pr->c NULL, in which case calling sshfwd_unclean_close on
it will dereference NULL and segfault. Write an alternative error
handling path for that possibility.

(I don't know if it's the only way, but one way this can happen is if
you're doing dynamic forwarding and the socket error occurs during
SOCKS negotiation, in which case no SSH channel has been set up yet
because we haven't yet found out what we want to put in the
direct-tcpip channel open message.)

git-svn-id: svn://svn.tartarus.org/sgt/putty@10018 cda61777-01e9-0310-a592-d414129be87e

diff --git a/portfwd.c b/portfwd.c
index 264198f..00cff5e 100644 (file)
--- a/portfwd.c
+++ b/portfwd.c
@@ -87,7 +87,17 @@ static int pfd_closing(Plug plug, const char *error_msg, int error_code,
         /*
          * Socket error. Slam the connection instantly shut.
          */
-        sshfwd_unclean_close(pr->c);
+        if (pr->c) {
+            sshfwd_unclean_close(pr->c);
+        } else {
+            /*
+             * We might not have an SSH channel, if a socket error
+             * occurred during SOCKS negotiation. If not, we must
+             * clean ourself up without sshfwd_unclean_close's call
+             * back to pfd_close.
+             */
+            pfd_close(pr->s);
+        }
     } else {
         /*
          * Ordinary EOF received on socket. Send an EOF on the SSH