modules/m_sasl: sasl: fix regression introduced by sasl <-> auth_user integration.
This fixes the null-dereference reported on full-disclosure [1]. A corrected analysis of the issue follows below: When SASL authentication completes, and auth_user is requested, client_p->user may be NULL. Thusly accessing fields of client_p->user may cause a null dereference. In these cases, aborting SASL auth early is a correct interpretation of the IRCv3.1 specification. The code must handle this situation, which this commit corrects. [1]: http://seclists.org/fulldisclosure/2014/Mar/320
This commit is contained in:
parent
1bd7b59879
commit
a5e296e4eb
|
@ -172,9 +172,9 @@ me_sasl(struct Client *client_p, struct Client *source_p,
|
|||
|
||||
static int server_auth_sasl(struct Client *client_p)
|
||||
{
|
||||
char *auth_user;
|
||||
char *auth_user = NULL;
|
||||
|
||||
if (client_p->localClient->auth_user)
|
||||
if (client_p->localClient->auth_user != NULL)
|
||||
{
|
||||
memset(client_p->localClient->auth_user, 0,
|
||||
strlen(client_p->localClient->auth_user));
|
||||
|
@ -182,10 +182,10 @@ static int server_auth_sasl(struct Client *client_p)
|
|||
client_p->localClient->auth_user = NULL;
|
||||
}
|
||||
|
||||
if (client_p->user != NULL && client_p->user->suser != NULL)
|
||||
auth_user = rb_strndup(client_p->user->suser, PASSWDLEN);
|
||||
|
||||
/* pointless check here */
|
||||
if (auth_user)
|
||||
if (auth_user != NULL)
|
||||
client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN);
|
||||
|
||||
return 0;
|
||||
|
|
Loading…
Reference in New Issue