modules/m_sasl: sasl: fix regression introduced by sasl <-> auth_user integration.
This fixes the null-dereference reported on full-disclosure [1]. A corrected analysis of the issue follows below: When SASL authentication completes, and auth_user is requested, client_p->user may be NULL. Thusly accessing fields of client_p->user may cause a null dereference. In these cases, aborting SASL auth early is a correct interpretation of the IRCv3.1 specification. The code must handle this situation, which this commit corrects. [1]: http://seclists.org/fulldisclosure/2014/Mar/320
This commit is contained in:
parent
1bd7b59879
commit
a5e296e4eb
|
@ -172,9 +172,9 @@ me_sasl(struct Client *client_p, struct Client *source_p,
|
||||||
|
|
||||||
static int server_auth_sasl(struct Client *client_p)
|
static int server_auth_sasl(struct Client *client_p)
|
||||||
{
|
{
|
||||||
char *auth_user;
|
char *auth_user = NULL;
|
||||||
|
|
||||||
if (client_p->localClient->auth_user)
|
if (client_p->localClient->auth_user != NULL)
|
||||||
{
|
{
|
||||||
memset(client_p->localClient->auth_user, 0,
|
memset(client_p->localClient->auth_user, 0,
|
||||||
strlen(client_p->localClient->auth_user));
|
strlen(client_p->localClient->auth_user));
|
||||||
|
@ -182,10 +182,10 @@ static int server_auth_sasl(struct Client *client_p)
|
||||||
client_p->localClient->auth_user = NULL;
|
client_p->localClient->auth_user = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
auth_user = rb_strndup(client_p->user->suser, PASSWDLEN);
|
if (client_p->user != NULL && client_p->user->suser != NULL)
|
||||||
|
auth_user = rb_strndup(client_p->user->suser, PASSWDLEN);
|
||||||
|
|
||||||
/* pointless check here */
|
if (auth_user != NULL)
|
||||||
if (auth_user)
|
|
||||||
client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN);
|
client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
Loading…
Reference in New Issue