From: Christian Beier Date: Sun, 21 Oct 2018 20:52:04 +0200 Subject: tightvnc-filetransfer: fix heap use-after-free Origin: https://github.com/LibVNC/libvncserver/commit/ca2a5ac02fbbadd0a21fabba779c1ea69173d10b Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6307 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/241 One can only guess what the intended semantics were here, but as every other rfbCloseClient() call in this file is followed by an immediate return, let's assume this was forgotton in this case. Anyway, don't forget to clean up to not leak memory. Closes #241 --- libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 ++ 1 file changed, 2 insertions(+) --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -575,6 +575,8 @@ "FileDownloadCancelMsg\n", __FILE__, __FUNCTION__); rfbCloseClient(cl); + free(reason); + return; } rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:"