From 309122017ebc6fff039a7cab1b82f632853d82d5 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Wed, 21 Aug 2013 01:28:49 +0200 Subject: [PATCH] Correctly handle return code of Handle_Write() There have been code paths that ignored the return code of Handle_Write() when sending "notice auth" messages to new clients connecting to the server. But because Handle_Write() would have closed the client connection again if an error occurred, this would have resulted in new errors and assert()'s later on that could have crashed the server (denial of service). Only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default. CVE-2013-5580. --- src/ngircd/conn.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 30dfd094..8d72c1c3 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -1668,7 +1668,11 @@ Conn_StartLogin(CONN_ID Idx) #endif (void)Conn_WriteStr(Idx, "NOTICE AUTH :*** Looking up your hostname"); - (void)Handle_Write(Idx); + /* Send buffered data to the client, but break on errors + * because Handle_Write() would have closed the connection + * again in this case! */ + if (!Handle_Write(Idx)) + return; } Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr, @@ -2458,8 +2462,13 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events ) } #endif - if (Conf_NoticeAuth) - (void)Handle_Write(i); + if (Conf_NoticeAuth) { + /* Send buffered data to the client, but break on + * errors because Handle_Write() would have closed + * the connection again in this case! */ + if (!Handle_Write(i)) + return; + } Class_HandleServerBans(c); } -- 2.39.2