Mercurial > dovecot > core-2.2
changeset 22777:71859e5c593b
lib-auth: Remove request after abort
Otherwise the request will still stay in hash table
and get dereferenced when all requests are aborted
causing an attempt to access free'd memory.
Found by Apollon Oikonomopoulos <apoikos@debian.org>
Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Fri, 26 Jan 2018 10:55:54 +0200 |
parents | 49ee00901d13 |
children | c20e74f90a73 |
files | src/lib-auth/auth-client-request.c src/lib-auth/auth-server-connection.c src/lib-auth/auth-server-connection.h |
diffstat | 3 files changed, 11 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-auth/auth-client-request.c Mon Dec 18 16:50:51 2017 +0200 +++ b/src/lib-auth/auth-client-request.c Fri Jan 26 10:55:54 2018 +0200 @@ -180,6 +180,8 @@ auth_client_send_cancel(request->conn->client, request->id); call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); + /* remove the request */ + auth_server_connection_remove_request(request->conn, request->id); pool_unref(&request->pool); }
--- a/src/lib-auth/auth-server-connection.c Mon Dec 18 16:50:51 2017 +0200 +++ b/src/lib-auth/auth-server-connection.c Fri Jan 26 10:55:54 2018 +0200 @@ -481,3 +481,10 @@ hash_table_insert(conn->requests, POINTER_CAST(id), request); return id; } + +void auth_server_connection_remove_request(struct auth_server_connection *conn, + unsigned int id) +{ + i_assert(conn->handshake_received); + hash_table_remove(conn->requests, POINTER_CAST(id)); +}
--- a/src/lib-auth/auth-server-connection.h Mon Dec 18 16:50:51 2017 +0200 +++ b/src/lib-auth/auth-server-connection.h Fri Jan 26 10:55:54 2018 +0200 @@ -38,4 +38,6 @@ unsigned int auth_server_connection_add_request(struct auth_server_connection *conn, struct auth_client_request *request); +void auth_server_connection_remove_request(struct auth_server_connection *conn, + unsigned int id); #endif