Correctly handle return code of Handle_Write()
authorAlexander Barton <alex@barton.de>
Tue, 20 Aug 2013 23:28:49 +0000 (01:28 +0200)
committerAlexander Barton <alex@barton.de>
Fri, 23 Aug 2013 19:40:51 +0000 (21:40 +0200)
There have been code paths that ignored the return code of Handle_Write()
when sending "notice auth" messages to new clients connecting to the
server. But because Handle_Write() would have closed the client connection
again if an error occurred, this would have resulted in new errors and
assert()'s later on that could have crashed the server (denial of service).

Only setups having the configuration option "NoticeAuth" enabled are
affected, which is not the default.

CVE-2013-5580.

src/ngircd/conn.c

index 30dfd094467397ac958052fd41bfd5f33960ff14..8d72c1c3253ef9ecb2cea8fb6e3521ee72306fbb 100644 (file)
@@ -1668,7 +1668,11 @@ Conn_StartLogin(CONN_ID Idx)
 #endif
                        (void)Conn_WriteStr(Idx,
                                "NOTICE AUTH :*** Looking up your hostname");
-               (void)Handle_Write(Idx);
+               /* Send buffered data to the client, but break on errors
+                * because Handle_Write() would have closed the connection
+                * again in this case! */
+               if (!Handle_Write(Idx))
+                       return;
        }
 
        Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr,
@@ -2458,8 +2462,13 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events )
                }
 #endif
 
-               if (Conf_NoticeAuth)
-                       (void)Handle_Write(i);
+               if (Conf_NoticeAuth) {
+                       /* Send buffered data to the client, but break on
+                        * errors because Handle_Write() would have closed
+                        * the connection again in this case! */
+                       if (!Handle_Write(i))
+                               return;
+               }
 
                Class_HandleServerBans(c);
        }