From d3227f130000a8d0f31951c050c45198095d3f55 Mon Sep 17 00:00:00 2001
From: Thomas Arp <357770+welcor@users.noreply.github.com>
Date: Mon, 30 Dec 2024 12:30:29 +0100
Subject: [PATCH] Fix bug in process_output (#140)

Based on error report from JTP in the tbamud forums. If an attacker was able to start a session and then break the connection, the  process_output function would fail. This would trigger two calls to close_socket on the same descriptor. This in turn results in a double free on the character struct.

https://www.tbamud.com/kunena/4-development/5617-another-core-dump-not-long-after-the-one-earlier
Thanks to JTP for the bug report.
---
 src/comm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/comm.c b/src/comm.c
index 0c1ec9e..12323d2 100644
--- a/src/comm.c
+++ b/src/comm.c
@@ -1596,7 +1596,7 @@ static int process_output(struct descriptor_data *t)
     result = write_to_descriptor(t->descriptor, osb);
 
   if (result < 0) {	/* Oops, fatal error. Bye! */
-    close_socket(t);
+//    close_socket(t); // close_socket is called after return of negative result
     return (-1);
   } else if (result == 0)	/* Socket buffer full. Try later. */
     return (0);