From 6f6da74ec284e28c156f0b9f62f3bd610e61aa78 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 22 Jun 2023 12:11:51 +0200
Subject: [PATCH] Fix use-after-free in cupsdAcceptClient() (fixes
 CVE-2023-34241)

Fix use-after-free when logging warnings in case of failures
in `cupsdAcceptClient()` (fixes CVE-2023-34241)
---
 CHANGES.md         |  2 ++
 scheduler/client.c | 16 +++++++---------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 1e1b117354..727ca9fa80 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,8 @@ Changes in CUPS v2.4.6 - TBA
 ----------------------------
 
 - Fix printing multiple files on specific printers (Issue #643)
+- Fix use-after-free when logging warnings in case of failures
+  in `cupsdAcceptClient()` (fixes CVE-2023-34241)
 
 
 Changes in CUPS v2.4.5 - 2023-06-13
diff --git a/scheduler/client.c b/scheduler/client.c
index 91e441188c..327473a4d1 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
    /*
     * Can't have an unresolved IP address with double-lookups enabled...
     */
-
-    httpClose(con->http);
-
     cupsdLogClient(con, CUPSD_LOG_WARN,
-                    "Name lookup failed - connection from %s closed!",
+                    "Name lookup failed - closing connection from %s!",
                     httpGetHostname(con->http, NULL, 0));
 
+    httpClose(con->http);
     free(con);
     return;
   }
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
       * with double-lookups enabled...
       */
 
-      httpClose(con->http);
-
       cupsdLogClient(con, CUPSD_LOG_WARN,
-                      "IP lookup failed - connection from %s closed!",
+                      "IP lookup failed - closing connection from %s!",
                       httpGetHostname(con->http, NULL, 0));
+
+      httpClose(con->http);
       free(con);
       return;
     }
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
 
   if (!hosts_access(&wrap_req))
   {
-    httpClose(con->http);
-
     cupsdLogClient(con, CUPSD_LOG_WARN,
                     "Connection from %s refused by /etc/hosts.allow and "
 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+    httpClose(con->http);
     free(con);
     return;
   }
-- 
2.47.2