modules/m_sasl: sasl: fix regression introduced by sasl <-> auth_user integration.

This fixes the null-dereference reported on full-disclosure [1].  A
corrected analysis of the issue
follows below:

When SASL authentication completes, and auth_user is requested,
client_p->user may be NULL. Thusly accessing fields of client_p->user
may cause a null dereference. In these cases, aborting SASL auth
early is a correct interpretation of the IRCv3.1 specification.  The
code must handle this situation, which this commit corrects.

[1]: http://seclists.org/fulldisclosure/2014/Mar/320
This commit is contained in:
Sam Dodrill 2014-03-23 13:57:49 -07:00
parent 1bd7b59879
commit a5e296e4eb
1 changed files with 5 additions and 5 deletions

View File

@ -172,9 +172,9 @@ me_sasl(struct Client *client_p, struct Client *source_p,
static int server_auth_sasl(struct Client *client_p) static int server_auth_sasl(struct Client *client_p)
{ {
char *auth_user; char *auth_user = NULL;
if (client_p->localClient->auth_user) if (client_p->localClient->auth_user != NULL)
{ {
memset(client_p->localClient->auth_user, 0, memset(client_p->localClient->auth_user, 0,
strlen(client_p->localClient->auth_user)); strlen(client_p->localClient->auth_user));
@ -182,10 +182,10 @@ static int server_auth_sasl(struct Client *client_p)
client_p->localClient->auth_user = NULL; client_p->localClient->auth_user = NULL;
} }
if (client_p->user != NULL && client_p->user->suser != NULL)
auth_user = rb_strndup(client_p->user->suser, PASSWDLEN); auth_user = rb_strndup(client_p->user->suser, PASSWDLEN);
/* pointless check here */ if (auth_user != NULL)
if (auth_user)
client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN); client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN);
return 0; return 0;