1 From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001
2 From: Aki Tuomi <aki.tuomi@dovecot.fi>
3 Date: Fri, 26 Jan 2018 10:55:54 +0200
4 Subject: [PATCH] lib-auth: Remove request after abort
5
6 Otherwise the request will still stay in hash table
7 and get dereferenced when all requests are aborted
8 causing an attempt to access free'd memory.
9
10 Found by Apollon Oikonomopoulos <apoikos@debian.org>
11
12 Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
13 ---
14 src/lib-auth/auth-client-request.c | 2 ++
15 src/lib-auth/auth-server-connection.c | 7 +++++++
16 src/lib-auth/auth-server-connection.h | 2 ++
17 3 files changed, 11 insertions(+)
18
19 diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
20 index 046f7c307d..f6d0290a13 100644
21 --- a/src/lib-auth/auth-client-request.c
22 +++ b/src/lib-auth/auth-client-request.c
23 @@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
24
25 auth_client_send_cancel(request->conn->client, request->id);
26 call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
27 + /* remove the request */
28 + auth_server_connection_remove_request(request->conn, request->id);
29 pool_unref(&request->pool);
30 }
31
32 diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
33 index 9d65450fb3..7eea061cad 100644
34 --- a/src/lib-auth/auth-server-connection.c
35 +++ b/src/lib-auth/auth-server-connection.c
36 @@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
37 hash_table_insert(conn->requests, POINTER_CAST(id), request);
38 return id;
39 }
40 +
41 +void auth_server_connection_remove_request(struct auth_server_connection *conn,
42 + unsigned int id)
43 +{
44 + i_assert(conn->handshake_received);
45 + hash_table_remove(conn->requests, POINTER_CAST(id));
46 +}
47 diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
48 index 179b5dbd4c..c2c533a41d 100644
49 --- a/src/lib-auth/auth-server-connection.h
50 +++ b/src/lib-auth/auth-server-connection.h
51 @@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
52 unsigned int
53 auth_server_connection_add_request(struct auth_server_connection *conn,
54 struct auth_client_request *request);
55 +void auth_server_connection_remove_request(struct auth_server_connection *conn,
56 + unsigned int id);
57 #endif
|