[dovecot-cvs] dovecot/src/auth auth-client-connection.c, 1.11, 1.12 mech.c, 1.39, 1.40

[cras at dovecot.org]

Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv8518

Modified Files:
	auth-client-connection.c mech.c 
Log Message:
Fix some potential crashes



Index: auth-client-connection.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth-client-connection.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- auth-client-connection.c	28 Aug 2004 11:04:14 -0000	1.11
+++ auth-client-connection.c	10 Oct 2004 14:21:07 -0000	1.12
@@ -63,7 +63,7 @@
 	return NULL;
 }
 
-static void auth_client_input_handshake(struct auth_client_connection *conn)
+static int auth_client_input_handshake(struct auth_client_connection *conn)
 {
         struct auth_client_handshake_request rec;
         unsigned char *data;
@@ -71,7 +71,7 @@
 
 	data = i_stream_get_modifyable_data(conn->input, &size);
 	if (size < sizeof(rec))
-		return;
+		return FALSE;
 
 	/* Don't just cast because of alignment issues. */
 	memcpy(&rec, data, sizeof(rec));
@@ -80,16 +80,21 @@
 	if (rec.client_pid == 0) {
 		i_error("BUG: Auth client said it's PID 0");
 		auth_client_connection_destroy(conn);
-	} else if (auth_client_connection_lookup(conn->master,
-						 rec.client_pid) != NULL) {
+		return FALSE;
+	}
+
+	if (auth_client_connection_lookup(conn->master,
+					  rec.client_pid) != NULL) {
 		/* well, it might have just reconnected very fast .. although
 		   there's not much reason for it. */
 		i_error("BUG: Auth client gave a PID %u of existing connection",
 			rec.client_pid);
 		auth_client_connection_destroy(conn);
-	} else {
-		conn->pid = rec.client_pid;
+		return FALSE;
 	}
+
+	conn->pid = rec.client_pid;
+	return TRUE;
 }
 
 static int auth_client_input_request(struct auth_client_connection *conn)
@@ -174,8 +179,10 @@
 		return;
 	}
 
-	if (conn->pid == 0)
-		auth_client_input_handshake(conn);
+	if (conn->pid == 0) {
+		if (!auth_client_input_handshake(conn))
+			return;
+	}
 
 	while (auth_client_input_request(conn))
 		;

Index: mech.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/mech.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -d -r1.39 -r1.40
--- mech.c	10 Oct 2004 13:55:12 -0000	1.39
+++ mech.c	10 Oct 2004 14:21:07 -0000	1.40
@@ -234,11 +234,16 @@
 	reply.id = auth_request->id;
 	reply.result = AUTH_CLIENT_RESULT_SUCCESS;
 
-	/* get this before callback because it can destroy connection */
-	free_request = AUTH_MASTER_IS_DUMMY(auth_request->conn->master);
+	if (auth_request->conn == NULL) {
+		/* client is already gone */
+		free_request = TRUE;
+	} else {
+		/* get this before callback because it can destroy connection */
+		free_request = AUTH_MASTER_IS_DUMMY(auth_request->conn->master);
 
-	reply_data = mech_auth_success(&reply, auth_request, data, data_size);
-	auth_request->callback(&reply, reply_data, auth_request->conn);
+		reply_data = mech_auth_success(&reply, auth_request, data, data_size);
+		auth_request->callback(&reply, reply_data, auth_request->conn);
+	}
 
 	if (free_request) {
 		/* we don't have master process, the request is no longer
@@ -363,8 +368,11 @@
 
 	for (i = 0; i < size; i++) {
 		reply.id = auth_request[i]->id;
-		auth_request[i]->callback(&reply, NULL, auth_request[i]->conn);
-		mech_request_free(auth_request[i], auth_request[i]->id);
+		if (auth_request[i]->conn != NULL) {
+			auth_request[i]->callback(&reply, NULL,
+						  auth_request[i]->conn);
+		}
+		mech_request_free(auth_request[i], reply.id);
 	}
 	buffer_set_used_size(auth_failures_buf, 0);
 }