Fri Jun  4 10:54:04 2010  Jan Just Keijser  <jan.just.keijser@gmail.com>

	* pptp_ctrl.c: check for failure return by pptp_send_ctrl_packet

	and avoid using freed struct conn.

--- pptp_ctrl.c	2010-06-15 15:05:46.743913798 +0100

+++ pptp_ctrl.c	2010-06-15 14:32:00.480100647 +0100

@@ -396,9 +400,10 @@

     /* don't check state against WAIT_DISCONNECT... allow multiple disconnect

      * requests to be made.

      */

-    pptp_send_ctrl_packet(conn, &rqst, sizeof(rqst));

-    pptp_reset_timer();

-    call->state.pns = PNS_WAIT_DISCONNECT;

+    if (pptp_send_ctrl_packet(conn, &rqst, sizeof(rqst))) {

+        pptp_reset_timer();

+        call->state.pns = PNS_WAIT_DISCONNECT;

+    }

     /* call structure will be freed when we have confirmation of disconnect. */

 }

@@ -431,9 +436,10 @@

         pptp_call_close(conn, vector_get_Nth(conn->call, i));

     /* now close connection */

     log("Closing PPTP connection");

-    pptp_send_ctrl_packet(conn, &rqst, sizeof(rqst));

-    pptp_reset_timer(); /* wait 60 seconds for reply */

-    conn->conn_state = CONN_WAIT_STOP_REPLY;

+    if (pptp_send_ctrl_packet(conn, &rqst, sizeof(rqst))) {

+        pptp_reset_timer(); /* wait 60 seconds for reply */

+        conn->conn_state = CONN_WAIT_STOP_REPLY;

+    }

     return;

 }

@@ -733,8 +739,8 @@

                     reply.version = packet->version;

                     /* protocol version not supported */

                     reply.result_code = hton8(5);

-                    pptp_send_ctrl_packet(conn, &reply, sizeof(reply));

-                    pptp_reset_timer(); /* give sender a chance for a retry */

+                    if (pptp_send_ctrl_packet(conn, &reply, sizeof(reply)))

+                        pptp_reset_timer(); /* give sender a chance for a retry */

                 } else { /* same or greater version */

                     if (pptp_send_ctrl_packet(conn, &reply, sizeof(reply))) {

                         conn->conn_state = CONN_ESTABLISHED;

@@ -841,8 +847,8 @@

                 hton8(1), hton8(PPTP_GENERAL_ERROR_NONE), 0

             };

             logecho( PPTP_ECHO_RQST);

-            pptp_send_ctrl_packet(conn, &reply, sizeof(reply));

-            pptp_reset_timer();

+            if (pptp_send_ctrl_packet(conn, &reply, sizeof(reply)))

+                pptp_reset_timer();

             break;

         }

             /* ----------- OUTGOING CALL MESSAGES ------------ */

@@ -928,9 +935,10 @@

                 vector_search(conn->call, ntoh16(packet->call_id), &call);

                 if (call->callback != NULL)

                     call->callback(conn, call, CALL_CLOSE_RQST);

-                pptp_send_ctrl_packet(conn, &reply, sizeof(reply));

-                pptp_call_destroy(conn, call);

-                log("Call closed (RQST) (call id %d)", (int) call->call_id);

+                if (pptp_send_ctrl_packet(conn, &reply, sizeof(reply))) {

+                    pptp_call_destroy(conn, call);

+                    log("Call closed (RQST) (call id %d)", (int) call->call_id);

+                }

             }

             break;

         }

@@ -1067,8 +1075,9 @@

     } else { /* ka_state == NONE */ /* send keep-alive */

         struct pptp_echo_rqst rqst = {

             PPTP_HEADER_CTRL(PPTP_ECHO_RQST), hton32(global.conn->ka_id) };

-        pptp_send_ctrl_packet(global.conn, &rqst, sizeof(rqst));

-        global.conn->ka_state = KA_OUTSTANDING;

+        if (pptp_send_ctrl_packet(global.conn, &rqst, sizeof(rqst))) {

+            global.conn->ka_state = KA_OUTSTANDING;

+        }

     }

     /* check incoming/outgoing call states for !IDLE && !ESTABLISHED */

     for (i = 0; i < vector_size(global.conn->call); i++) {