From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 22 Jun 2023 10:11:51 +0000 (+0200)
Subject: Fix use-after-free in cupsdAcceptClient() (fixes CVE-2023-34241)
X-Git-Tag: v2.4.6~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f6da74ec284e28c156f0b9f62f3bd610e61aa78;p=thirdparty%2Fcups.git

Fix use-after-free in cupsdAcceptClient() (fixes CVE-2023-34241)

Fix use-after-free when logging warnings in case of failures
in `cupsdAcceptClient()` (fixes CVE-2023-34241)
---

diff --git a/CHANGES.md b/CHANGES.md
index 1e1b117354..727ca9fa80 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,8 @@ Changes in CUPS v2.4.6 - TBA
 ----------------------------
 
 - Fix printing multiple files on specific printers (Issue #643)
+- Fix use-after-free when logging warnings in case of failures
+  in `cupsdAcceptClient()` (fixes CVE-2023-34241)
 
 
 Changes in CUPS v2.4.5 - 2023-06-13
diff --git a/scheduler/client.c b/scheduler/client.c
index 91e441188c..327473a4d1 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
    /*
     * Can't have an unresolved IP address with double-lookups enabled...
     */
-
-    httpClose(con->http);
-
     cupsdLogClient(con, CUPSD_LOG_WARN,
-                    "Name lookup failed - connection from %s closed!",
+                    "Name lookup failed - closing connection from %s!",
                     httpGetHostname(con->http, NULL, 0));
 
+    httpClose(con->http);
     free(con);
     return;
   }
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
       * with double-lookups enabled...
       */
 
-      httpClose(con->http);
-
       cupsdLogClient(con, CUPSD_LOG_WARN,
-                      "IP lookup failed - connection from %s closed!",
+                      "IP lookup failed - closing connection from %s!",
                       httpGetHostname(con->http, NULL, 0));
+
+      httpClose(con->http);
       free(con);
       return;
     }
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
 
   if (!hosts_access(&wrap_req))
   {
-    httpClose(con->http);
-
     cupsdLogClient(con, CUPSD_LOG_WARN,
                     "Connection from %s refused by /etc/hosts.allow and "
 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+    httpClose(con->http);
     free(con);
     return;
   }