mirror of
				https://github.com/osmarks/ngircd.git
				synced 2025-10-25 19:17:38 +00:00 
			
		
		
		
	Fix use-after-free while handling ERROR during client login
This patch fixes a "use after free" bug which is hit while processing ERROR commands while a new client is logging into the server, which leads to only the CLIENT structure becoming freed, but not the CONNECTION structure, too. And this leads to the daemon accessing the already freed CLIENT structure later on ... So now IRC_ERROR() uses the correct function Conn_Close() to correctly free both structures. The CONNECTION structure is cleaned up later on, and the freed CLIENT structure can't be overwritten during normal operations, therefore this bug normally can't crash (DoS) the service -- but you can easily hit it when using the GCC option "-fsanitize=address", or run ngIRCd with Valgrind. Thanks a lot to Joseph Bisch <joseph.bisch@gmail.com> for discovering and reporting this issue!
This commit is contained in:
		| @@ -1,6 +1,6 @@ | |||||||
| /* | /* | ||||||
|  * ngIRCd -- The Next Generation IRC Daemon |  * ngIRCd -- The Next Generation IRC Daemon | ||||||
|  * Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors. |  * Copyright (c)2001-2018 Alexander Barton (alex@barton.de) and Contributors. | ||||||
|  * |  * | ||||||
|  * This program is free software; you can redistribute it and/or modify |  * This program is free software; you can redistribute it and/or modify | ||||||
|  * it under the terms of the GNU General Public License as published by |  * it under the terms of the GNU General Public License as published by | ||||||
| @@ -112,7 +112,7 @@ IRC_ERROR(CLIENT *Client, REQUEST *Req) | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if (Client_Conn(Client) != NONE) { | 	if (Client_Conn(Client) != NONE) { | ||||||
| 		Client_Destroy(Client, NULL, msg, false); | 		Conn_Close(Client_Conn(Client), NULL, msg, false); | ||||||
| 		return DISCONNECTED; | 		return DISCONNECTED; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Alexander Barton
					Alexander Barton