repo: ngircd
action: commit
revision: 
path_from: 
revision_from: 798de94d6556bdf2c6019f368ad7441fe6e2d1be:
path_to: 
revision_to: 

commit 798de94d6556bdf2c6019f368ad7441fe6e2d1be
Author: Alexander Barton 
Date:   Sun Mar 11 21:06:03 2018 +0100

    Fix use-after-free while handling ERROR during client login

    This patch fixes a "use after free" bug which is hit while processing
    ERROR commands while a new client is logging into the server, which
    leads to only the CLIENT structure becoming freed, but not the
    CONNECTION structure, too. And this leads to the daemon accessing the
    already freed CLIENT structure later on ...

    So now IRC_ERROR() uses the correct function Conn_Close() to correctly
    free both structures.

    The CONNECTION structure is cleaned up later on, and the freed CLIENT
    structure can't be overwritten during normal operations, therefore this
    bug normally can't crash (DoS) the service -- but you can easily hit it
    when using the GCC option "-fsanitize=address", or run ngIRCd with
    Valgrind.

    Thanks a lot to Joseph Bisch  for discovering
    and reporting this issue!

diff --git a/src/ngircd/irc.c b/src/ngircd/irc.c

--- a/src/ngircd/irc.c
+++ b/src/ngircd/irc.c
@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2018 Alexander Barton (alex@barton.de) and Contributors.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -112,7 +112,7 @@ IRC_ERROR(CLIENT *Client, REQUEST *Req)
 	}

 	if (Client_Conn(Client) != NONE) {
-		Client_Destroy(Client, NULL, msg, false);
+		Conn_Close(Client_Conn(Client), NULL, msg, false);
 		return DISCONNECTED;
 	}

-----END OF PAGE-----