tags #353341 patch
thanks
On Fri, Feb 17, 2006 at 04:53:17PM +0100, Moritz Muehlenhoff wrote:
> Patches are available at
> http://dovecot.org/patches/1.0-auth-crashfix.diff
> http://dovecot.org/patches/1.0-login-crashfixes.diff
dpatch attached.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
#! /bin/sh /usr/share/dpatch/dpatch-run
## security-353341.dpatch by Marc Haber <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad dovecot-1.0.beta2/src/auth/auth-request-handler.c
/tmp/dpep.YL82N2/dovecot-1.0.beta2/src/auth/auth-request-handler.c
--- dovecot-1.0.beta2/src/auth/auth-request-handler.c 2006-01-14
18:27:03.000000000 +0000
+++ /tmp/dpep.YL82N2/dovecot-1.0.beta2/src/auth/auth-request-handler.c
2006-02-18 12:32:48.000000000 +0000
@@ -62,8 +62,11 @@
return;
iter = hash_iterate_init(handler->requests);
- while (hash_iterate(iter, &key, &value))
- auth_request_unref(value);
+ while (hash_iterate(iter, &key, &value)) {
+ struct auth_request *auth_request = value;
+
+ auth_request_unref(&auth_request);
+ }
hash_iterate_deinit(iter);
/* notify parent that we're done with all requests */
diff -urNad dovecot-1.0.beta2/src/imap-login/client-authenticate.c
/tmp/dpep.YL82N2/dovecot-1.0.beta2/src/imap-login/client-authenticate.c
--- dovecot-1.0.beta2/src/imap-login/client-authenticate.c 2006-01-14
17:46:14.000000000 +0000
+++ /tmp/dpep.YL82N2/dovecot-1.0.beta2/src/imap-login/client-authenticate.c
2006-02-18 12:33:33.000000000 +0000
@@ -179,7 +179,6 @@
struct imap_client *client = (struct imap_client *)_client;
struct const_iovec iov[3];
size_t data_len;
- ssize_t ret;
switch (reply) {
case SASL_SERVER_REPLY_SUCCESS:
@@ -217,16 +216,10 @@
iov[2].iov_base = "\r\n";
iov[2].iov_len = 2;
- ret = o_stream_sendv(client->output, iov, 3);
- if (ret < 0)
- client_destroy(client, "Disconnected");
- else if ((size_t)ret != 2 + data_len + 2)
- client_destroy(client, "Transmit buffer full");
- else {
- /* continue */
- return;
- }
- break;
+ /* don't check return value here. it gets tricky if we try
+ to call client_destroy() in here. */
+ (void)o_stream_sendv(client->output, iov, 3);
+ return;
}
client_unref(client);
diff -urNad dovecot-1.0.beta2/src/pop3-login/client-authenticate.c
/tmp/dpep.YL82N2/dovecot-1.0.beta2/src/pop3-login/client-authenticate.c
--- dovecot-1.0.beta2/src/pop3-login/client-authenticate.c 2006-01-14
17:46:59.000000000 +0000
+++ /tmp/dpep.YL82N2/dovecot-1.0.beta2/src/pop3-login/client-authenticate.c
2006-02-18 12:33:33.000000000 +0000
@@ -188,16 +188,10 @@
iov[2].iov_base = "\r\n";
iov[2].iov_len = 2;
- ret = o_stream_sendv(client->output, iov, 3);
- if (ret < 0)
- client_destroy(client, "Disconnected");
- else if ((size_t)ret != 2 + data_len + 2)
- client_destroy(client, "Transmit buffer full");
- else {
- /* continue */
- return;
- }
- break;
+ /* don't check return value here. it gets tricky if we try
+ to call client_destroy() in here. */
+ (void)o_stream_sendv(client->output, iov, 3);
+ return;
}
client_unref(client);
