From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Mar 2021 23:10:04 +0000 (+0100)
Subject: libssh2:ssh_connect: clear session pointer after free
X-Git-Tag: curl-7_76_0~38
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=012c19c33a57bd821aa433b488deaf7f30e7bb44;p=thirdparty%2Fcurl.git

libssh2:ssh_connect: clear session pointer after free

If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
ssh session was freed but the pointer wasn't cleared which made libcurl
later call libssh2 to cleanup using the stale pointer.

Fixes #6764
Closes #6766
---

diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index 0e7c2eb987..891e945f79 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -3159,6 +3159,7 @@ static CURLcode ssh_connect(struct Curl_easy *data, bool *done)
     sshc->kh = libssh2_knownhost_init(sshc->ssh_session);
     if(!sshc->kh) {
       libssh2_session_free(sshc->ssh_session);
+      sshc->ssh_session = NULL;
       return CURLE_FAILED_INIT;
     }