summaryrefslogtreecommitdiff
path: root/dovecot/CVE-2017-15132-1.patch
blob: b1d8b4923227832bc58f040ebea635d08fcf25b6 (plain) 
    1 From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001
    2 From: Aki Tuomi <aki.tuomi@dovecot.fi>
    3 Date: Fri, 26 Jan 2018 10:55:54 +0200
    4 Subject: [PATCH] lib-auth: Remove request after abort
    5 
    6 Otherwise the request will still stay in hash table
    7 and get dereferenced when all requests are aborted
    8 causing an attempt to access free'd memory.
    9 
   10 Found by Apollon Oikonomopoulos <apoikos@debian.org>
   11 
   12 Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
   13 ---
   14  src/lib-auth/auth-client-request.c    | 2 ++
   15  src/lib-auth/auth-server-connection.c | 7 +++++++
   16  src/lib-auth/auth-server-connection.h | 2 ++
   17  3 files changed, 11 insertions(+)
   18 
   19 diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
   20 index 046f7c307d..f6d0290a13 100644
   21 --- a/src/lib-auth/auth-client-request.c
   22 +++ b/src/lib-auth/auth-client-request.c
   23 @@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
   24  
   25  	auth_client_send_cancel(request->conn->client, request->id);
   26  	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
   27 +	/* remove the request */
   28 +	auth_server_connection_remove_request(request->conn, request->id);
   29  	pool_unref(&request->pool);
   30  }
   31  
   32 diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
   33 index 9d65450fb3..7eea061cad 100644
   34 --- a/src/lib-auth/auth-server-connection.c
   35 +++ b/src/lib-auth/auth-server-connection.c
   36 @@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
   37  	hash_table_insert(conn->requests, POINTER_CAST(id), request);
   38  	return id;
   39  }
   40 +
   41 +void auth_server_connection_remove_request(struct auth_server_connection *conn,
   42 +					   unsigned int id)
   43 +{
   44 +	i_assert(conn->handshake_received);
   45 +	hash_table_remove(conn->requests, POINTER_CAST(id));
   46 +}
   47 diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
   48 index 179b5dbd4c..c2c533a41d 100644
   49 --- a/src/lib-auth/auth-server-connection.h
   50 +++ b/src/lib-auth/auth-server-connection.h
   51 @@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
   52  unsigned int
   53  auth_server_connection_add_request(struct auth_server_connection *conn,
   54  				   struct auth_client_request *request);
   55 +void auth_server_connection_remove_request(struct auth_server_connection *conn,
   56 +					   unsigned int id);
   57  #endif

Generated by cgit