Comparing ParallelSSH:master...parallel-ssh:master · ParallelSSH/ssh-python
Commits on Jul 19, 2024
-
session: disconnect on __dealloc__
calling ssh_disconnect means the Session object is still around which means Channel objects may still be around, but ssh_disonnects also performs ssh_channel_do_free on any open channels, which makes those Channel._channel pointers dangling pointers. This causes a UAF when Channel.__dealloc__ runs where (if the memory wasn't reclaimed, which is likely) _channel->session is nulled in the session->alive check in ssh_channel_free. Because we can't fix this, this effectively means that Session.disconnect CANNOT be implemented as an API. However, if we instead do the disconnect in Session.__dealloc__, then this can't happen, as the Channel._session reference forces Channel objects to be deallocd before the Session. Another fix could be for ssh_channel_free to check both channel and channel->session for NULL (currently does the former), but this would only mask the crash in most instances and not actually fix the UAF.
