From a5e296e4eb716c973442c368858eb73ad470448d Mon Sep 17 00:00:00 2001 From: Sam Dodrill Date: Sun, 23 Mar 2014 13:57:49 -0700 Subject: [PATCH] modules/m_sasl: sasl: fix regression introduced by sasl <-> auth_user integration. This fixes the null-dereference reported on full-disclosure [1]. A corrected analysis of the issue follows below: When SASL authentication completes, and auth_user is requested, client_p->user may be NULL. Thusly accessing fields of client_p->user may cause a null dereference. In these cases, aborting SASL auth early is a correct interpretation of the IRCv3.1 specification. The code must handle this situation, which this commit corrects. [1]: http://seclists.org/fulldisclosure/2014/Mar/320 --- modules/m_sasl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/m_sasl.c b/modules/m_sasl.c index fadddf7..5f8f443 100644 --- a/modules/m_sasl.c +++ b/modules/m_sasl.c @@ -172,9 +172,9 @@ me_sasl(struct Client *client_p, struct Client *source_p, static int server_auth_sasl(struct Client *client_p) { - char *auth_user; + char *auth_user = NULL; - if (client_p->localClient->auth_user) + if (client_p->localClient->auth_user != NULL) { memset(client_p->localClient->auth_user, 0, strlen(client_p->localClient->auth_user)); @@ -182,10 +182,10 @@ static int server_auth_sasl(struct Client *client_p) client_p->localClient->auth_user = NULL; } - auth_user = rb_strndup(client_p->user->suser, PASSWDLEN); + if (client_p->user != NULL && client_p->user->suser != NULL) + auth_user = rb_strndup(client_p->user->suser, PASSWDLEN); - /* pointless check here */ - if (auth_user) + if (auth_user != NULL) client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN); return 0;