lib-auth: Remove request after abort

Otherwise the request will still stay in hash table and get dereferenced when all requests are aborted causing an attempt to access free'd memory. Found by Apollon Oikonomopoulos <apoikos@debian.org> Broken in 1a29ed2
dovecot · Jan 30, 2018 · 891aa17 · 891aa17
1 parent a008617
commit 891aa17
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
@@ -180,6 +180,8 @@ void auth_client_request_abort(struct auth_client_request **_request)
 
 	auth_client_send_cancel(request->conn->client, request->id);
 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
+	/* remove the request */
+	auth_server_connection_remove_request(request->conn, request->id);
 	pool_unref(&request->pool);
 }
 

diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
@@ -481,3 +481,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
 	hash_table_insert(conn->requests, POINTER_CAST(id), request);
 	return id;
 }
+
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id)
+{
+	i_assert(conn->handshake_received);
+	hash_table_remove(conn->requests, POINTER_CAST(id));
+}
diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
@@ -38,4 +38,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
 unsigned int
 auth_server_connection_add_request(struct auth_server_connection *conn,
 				   struct auth_client_request *request);
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id);
 #endif