diff options
author | LemonBoy <thatlemon@gmail.com> | 2016-12-15 22:41:57 +0100 |
---|---|---|
committer | LemonBoy <thatlemon@gmail.com> | 2016-12-15 22:41:57 +0100 |
commit | 7a7f6abc168b571a0db4fa65c760fe6e46edf199 (patch) | |
tree | 0476417d7a5e489c9a12f215326764bd702e18c4 | |
parent | 4ccffd85ffd06325687546f78b78e3e7fce575c5 (diff) | |
download | irssi-7a7f6abc168b571a0db4fa65c760fe6e46edf199.zip |
Prevent a UaF by calling server_disconnect in a signal handler.
-rw-r--r-- | src/fe-common/irc/fe-sasl.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/fe-common/irc/fe-sasl.c b/src/fe-common/irc/fe-sasl.c index 4c86f850..6cba1887 100644 --- a/src/fe-common/irc/fe-sasl.c +++ b/src/fe-common/irc/fe-sasl.c @@ -43,8 +43,15 @@ static void sig_cap_end(IRC_SERVER_REC *server) /* The negotiation has now been terminated, if we didn't manage to * authenticate successfully with the server just disconnect. */ if (!server->sasl_success && - settings_get_bool("sasl_disconnect_on_failure")) - server_disconnect(SERVER(server)); + settings_get_bool("sasl_disconnect_on_failure")) { + /* We can't use server_disconnect() here because we'd end up + * freeing the 'server' object and be guilty of a slew of UaF. */ + server->connection_lost = TRUE; + /* By setting connection_lost we make sure the communication is + * halted and when the control goes back to irc_parse_incoming + * the server object is safely destroyed. */ + signal_stop(); + } } |