+ "details": "### Summary\nA nil pointer dereference in `tunnelCloseHandler` causes the handler goroutine to panic whenever a reverse tunnel (rportfwd) close is attempted. Both the legitimate close path AND the unauthorized close path dereference `tunnel.SessionID` where `tunnel` is guaranteed nil. This means rportfwd tunnels can never be cleanly closed, and any authenticated implant can trigger repeated goroutine panics.\n\n### Details\nFile: `server/handlers/sessions.go` lines 172 and 175\n\nThe function enters an `else` block precisely because `core.Tunnels.Get(tunnelData.TunnelID)` returned `nil`. Both conditions inside that else block then dereference `tunnel.SessionID` instead of `rtunnel.SessionID`:\n```go\n} else {\n rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)\n\n if rtunnel != nil && session.ID == tunnel.SessionID { // LINE 172 — nil deref\n rtunnel.Close()\n rtunnels.RemoveRTunnel(rtunnel.ID)\n } else if rtunnel != nil && session.ID != tunnel.SessionID { // LINE 175 — nil deref\n sessionHandlerLog.Warnf(\"...\")\n }\n}\n```\n\nNote: The identical bug was already fixed in `tunnelDataHandler` at lines 124/126 (correctly uses `rtunnel.SessionID`), but the fix was \nnot applied to `tunnelCloseHandler`.\n\n### PoC\n```go\ntunnel := GetTunnel(999) // returns nil — no normal tunnel with this ID\n// tunnel is nil here\n\nrtunnel := GetRTunnel(999) // returns valid rtunnel owned by session-AAAA\n\n// Both lines below panic with:\n// runtime error: invalid memory address or nil pointer dereference\nif rtunnel != nil && sessionID == tunnel.SessionID { ... } // line 172\n} else if rtunnel != nil && sessionID != tunnel.SessionID { ... } // line 175\n```\n\nConfirmed on master commit `7ac4db3fa` with standalone reproducer.\nOutput:\n```\nPANIC on line 172 (legitimate close): runtime error: invalid memory address or nil pointer dereference\nPANIC on line 175 (unauthorized close): runtime error: invalid memory address or nil pointer dereference\n```\n\n\n\n\n\n### Impact\n- rportfwd tunnels **cannot be closed** — functional regression\n- Any authenticated implant can trigger repeated handler goroutine panics\n- rtunnel map entries leak (never cleaned up on close failure)\n- `recoverAndLogPanic()` prevents full server crash but silently drops the close operation\n\n### Fix\nReplace `tunnel.SessionID` with `rtunnel.SessionID` on both lines:\n```diff\n- if rtunnel != nil && session.ID == tunnel.SessionID {\n+ if rtunnel != nil && session.ID == rtunnel.SessionID {\n rtunnel.Close()\n rtunnels.RemoveRTunnel(rtunnel.ID)\n- } else if rtunnel != nil && session.ID != tunnel.SessionID {\n+ } else if rtunnel != nil && session.ID != rtunnel.SessionID {\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments