Server can crash (double-free) when desktop reconnection fails mid-way (2.8.87)

Brought to you by: anton19286, const_k, crazy-walrus

#1659 Server can crash (double-free) when desktop reconnection fails mid-way (2.8.87)

Status: open

Owner: nobody

Labels: Server (9) Win32 (10)

Priority: 7

Updated: 2 days ago

Created: 2 days ago

Private: No

Double-free in DesktopServerWatcher::execute() (lines 136-146),
acknowledged by a developer comment in the source.

Flow:

Pipe channels allocated.
otherSide channels deleted (lines 128-133).
onReconnect() called (line 136) - transfers ownership of ownSide
channels to the reconnection listener.
waitForExit() throws (line 138).
Catch block (lines 143-146) deletes all four pointers again,
including the two already owned by onReconnect().

Developer comment at line 142: "A potential crash. The channels can
be used (see onReconnect()) after these destroyings."

Attached PoC calls free() twice on the same pointer via msvcrt.dll
and exits with STATUS_HEAP_CORRUPTION (0xC0000374).

Fix: null ownSidePipeChanTo/From after onReconnect() returns.
Version: 2.8.87.