From ca2a5ac02fbbadd0a21fabba779c1ea69173d10b Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sun, 21 Oct 2018 20:52:04 +0200 Subject: [PATCH] tightvnc-filetransfer: fix heap use-after-free One can only guess what the intended semantics were here, but as every other rfbCloseClient() call in this file is followed by an immediate return, let's assume this was forgotton in this case. Anyway, don't forget to clean up to not leak memory. Closes #241 --- libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index c511eed..0473783 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) "FileDownloadCancelMsg\n", __FILE__, __FUNCTION__); rfbCloseClient(cl); + free(reason); + return; } rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:"