modules/m_sasl: sasl: fix regression introduced by sasl <-> auth_user integration.

This fixes the null-dereference reported on full-disclosure [1]. A corrected analysis of the issue follows below: When SASL authentication completes, and auth_user is requested, client_p->user may be NULL. Thusly accessing fields of client_p->user may cause a null dereference. In these cases, aborting SASL auth early is a correct interpretation of the IRCv3.1 specification. The code must handle this situation, which this commit corrects. [1]: http://seclists.org/fulldisclosure/2014/Mar/320
2014-03-23 13:57:49 -07:00 · 2014-03-23 13:57:49 -07:00 · a5e296e4eb
parent 1bd7b59879
commit a5e296e4eb
1 changed files with 5 additions and 5 deletions
--- a/modules/m_sasl.c
+++ b/modules/m_sasl.c
@ -172,9 +172,9 @@ me_sasl(struct Client *client_p, struct Client *source_p,

 static int server_auth_sasl(struct Client *client_p)
 {
-	char *auth_user;
+	char *auth_user = NULL;

-        if (client_p->localClient->auth_user)
+        if (client_p->localClient->auth_user != NULL)
        {
                memset(client_p->localClient->auth_user, 0,
                       strlen(client_p->localClient->auth_user));
@ -182,10 +182,10 @@ static int server_auth_sasl(struct Client *client_p)
                client_p->localClient->auth_user = NULL;
        }

-	auth_user = rb_strndup(client_p->user->suser, PASSWDLEN);
+	if (client_p->user != NULL && client_p->user->suser != NULL)
+		auth_user = rb_strndup(client_p->user->suser, PASSWDLEN);

-	/* pointless check here */
-	if (auth_user)
+	if (auth_user != NULL)
 		client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN);

 	return 0;