Don't access already freed memory in IRC_KILL()

It is not possible to call Conn_Close() after Client_Destroy() has been
called, because Conn_Close wants to access the CLIENT structure which
then has been freed already.

Fix IRC_KILL to use Conn_Close() for local clients and Client_Destroy()
for remote clients only (and never both).

diff --git a/src/ngircd/irc.c b/src/ngircd/irc.c
index b4db3b77473955f6c04c5952df444f9f2692c190..0cb9a6e546b059518c7f5b3a187cec74c5332243 100644 (file)
--- a/src/ngircd/irc.c
+++ b/src/ngircd/irc.c
@@ -160,11 +160,15 @@ IRC_KILL( CLIENT *Client, REQUEST *Req )
                             Client_Type( c ), Req->argv[0] );
                }
 
-               /* Kill client NOW! */
+               /* Kill the client NOW:
+                *  - Close the local connection (if there is one),
+                *  - Destroy the CLIENT structure for remote clients.
+                * Note: Conn_Close() removes the CLIENT structure as well. */
                conn = Client_Conn( c );
-               Client_Destroy( c, NULL, reason, false );
-               if( conn > NONE )
-                       Conn_Close( conn, NULL, reason, true );
+               if(conn > NONE)
+                       Conn_Close(conn, NULL, reason, true);
+               else
+                       Client_Destroy(c, NULL, reason, false);
        }
        else
                Log( LOG_NOTICE, "Client with nick \"%s\" is unknown here.", Req->argv[0] );