Andreas/tbamud
1
0
Fork 0
mirror of https://github.com/tbamud/tbamud.git synced 2026-02-10 01:54:20 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix bug in process_output (#140)

Browse source 
Based on error report from JTP in the tbamud forums. If an attacker was able to start a session and then break the connection, the  process_output function would fail. This would trigger two calls to close_socket on the same descriptor. This in turn results in a double free on the character struct.

https://www.tbamud.com/kunena/4-development/5617-another-core-dump-not-long-after-the-one-earlier
Thanks to JTP for the bug report.
This commit is contained in:
Thomas Arp 2024-12-30 12:30:29 +01:00 committed by GitHub
parent 88b3027ec6
commit d3227f1300
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/comm.c
View file

@ -1596,7 +1596,7 @@ static int process_output(struct descriptor_data *t)
result = write_to_descriptor(t->descriptor, osb);
if (result < 0) { /* Oops, fatal error. Bye! */
close_socket(t);
// close_socket(t); // close_socket is called after return of negative result
return (-1);
} else if (result == 0) /* Socket buffer full. Try later. */
return (0);