summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLemonBoy <thatlemon@gmail.com>2016-12-15 22:41:57 +0100
committerLemonBoy <thatlemon@gmail.com>2016-12-15 22:41:57 +0100
commit7a7f6abc168b571a0db4fa65c760fe6e46edf199 (patch)
tree0476417d7a5e489c9a12f215326764bd702e18c4
parent4ccffd85ffd06325687546f78b78e3e7fce575c5 (diff)
downloadirssi-7a7f6abc168b571a0db4fa65c760fe6e46edf199.zip
Prevent a UaF by calling server_disconnect in a signal handler.
-rw-r--r--src/fe-common/irc/fe-sasl.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/fe-common/irc/fe-sasl.c b/src/fe-common/irc/fe-sasl.c
index 4c86f850..6cba1887 100644
--- a/src/fe-common/irc/fe-sasl.c
+++ b/src/fe-common/irc/fe-sasl.c
@@ -43,8 +43,15 @@ static void sig_cap_end(IRC_SERVER_REC *server)
/* The negotiation has now been terminated, if we didn't manage to
* authenticate successfully with the server just disconnect. */
if (!server->sasl_success &&
- settings_get_bool("sasl_disconnect_on_failure"))
- server_disconnect(SERVER(server));
+ settings_get_bool("sasl_disconnect_on_failure")) {
+ /* We can't use server_disconnect() here because we'd end up
+ * freeing the 'server' object and be guilty of a slew of UaF. */
+ server->connection_lost = TRUE;
+ /* By setting connection_lost we make sure the communication is
+ * halted and when the control goes back to irc_parse_incoming
+ * the server object is safely destroyed. */
+ signal_stop();
+ }
}