From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Fri, 26 Jan 2018 08:55:54 +0000 (+0200)
Subject: lib-auth: Remove request after abort
X-Git-Tag: 2.2.35~127
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2236c3d73efdb2634acf8fea3c2dc8d9702ca09;p=thirdparty%2Fdovecot%2Fcore.git

lib-auth: Remove request after abort

Otherwise the request will still stay in hash table
and get dereferenced when all requests are aborted
causing an attempt to access free'd memory.

Found by Apollon Oikonomopoulos <apoikos@debian.org>

Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
---

diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
index fb2e5ddbb5..68d301513f 100644
--- a/src/lib-auth/auth-client-request.c
+++ b/src/lib-auth/auth-client-request.c
@@ -180,6 +180,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
 
 	auth_client_send_cancel(request->conn->client, request->id);
 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
+	/* remove the request */
+	auth_server_connection_remove_request(request->conn, request->id);
 	pool_unref(&request->pool);
 }
 
diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
index acd3aed82d..cc9211f254 100644
--- a/src/lib-auth/auth-server-connection.c
+++ b/src/lib-auth/auth-server-connection.c
@@ -481,3 +481,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
 	hash_table_insert(conn->requests, POINTER_CAST(id), request);
 	return id;
 }
+
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id)
+{
+	i_assert(conn->handshake_received);
+	hash_table_remove(conn->requests, POINTER_CAST(id));
+}
diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
index 51fc7f24b7..615ea7e9ae 100644
--- a/src/lib-auth/auth-server-connection.h
+++ b/src/lib-auth/auth-server-connection.h
@@ -38,4 +38,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
 unsigned int
 auth_server_connection_add_request(struct auth_server_connection *conn,
 				   struct auth_client_request *request);
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id);
 #endif