[dovecot-cvs] dovecot/src/auth mech.c,1.49,1.50 mech.h,1.27,1.28

[cras at dovecot.org]

Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv24703

Modified Files:
	mech.c mech.h 
Log Message:
Requests in failed response queue could still be found from request queue
and destroyed again. This made it possible to crash dovecot-auth by sending
more authentication data than was expected.



Index: mech.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/mech.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -d -r1.49 -r1.50
--- mech.c	6 Dec 2004 16:55:57 -0000	1.49
+++ mech.c	8 Dec 2004 02:27:39 -0000	1.50
@@ -114,6 +114,12 @@
 
 void auth_request_destroy(struct auth_request *request)
 {
+	i_assert(request->refcount > 0);
+
+	if (request->destroyed)
+		return;
+	request->destroyed = TRUE;
+
 	if (request->conn != NULL) {
 		hash_remove(request->conn->auth_requests,
 			    POINTER_CAST(request->id));
@@ -143,7 +149,12 @@
 			requests += auth_failures_buf->used/sizeof(*requests)-1;
 			i_assert(*requests != request);
 		}
+
 		buffer_append(auth_failures_buf, &request, sizeof(request));
+
+		/* make sure the request isn't found anymore */
+		auth_request_ref(request);
+		auth_request_destroy(request);
 		return;
 	}
 
@@ -189,6 +200,7 @@
 
 int auth_request_unref(struct auth_request *request)
 {
+	i_assert(request->refcount > 0);
 	if (--request->refcount > 0)
 		return TRUE;
 

Index: mech.h
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/mech.h,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -d -r1.27 -r1.28
--- mech.h	21 Oct 2004 02:23:12 -0000	1.27
+++ mech.h	8 Dec 2004 02:27:39 -0000	1.28
@@ -38,6 +38,7 @@
 	unsigned int no_failure_delay:1;
 	unsigned int no_login:1;
 	unsigned int proxy:1;
+	unsigned int destroyed:1;
 	/* ... mechanism specific data ... */
 };