kyonshi/grenzland-mud
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix bug in process_output (#140)

Browse Source 
Based on error report from JTP in the tbamud forums. If an attacker was able to start a session and then break the connection, the  process_output function would fail. This would trigger two calls to close_socket on the same descriptor. This in turn results in a double free on the character struct.

https://www.tbamud.com/kunena/4-development/5617-another-core-dump-not-long-after-the-one-earlier
Thanks to JTP for the bug report.
This commit is contained in:
Thomas Arp
2024-12-30 12:30:29 +01:00
committed by GitHub
parent 88b3027ec6
commit d3227f1300
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/comm.c
View File

@@ -1596,7 +1596,7 @@ static int process_output(struct descriptor_data *t)
result = write_to_descriptor(t->descriptor, osb); result = write_to_descriptor(t->descriptor, osb);
if (result < 0) { /* Oops, fatal error. Bye! */ if (result < 0) { /* Oops, fatal error. Bye! */
close_socket(t); // close_socket(t); // close_socket is called after return of negative result
return (-1); return (-1);
} else if (result == 0) /* Socket buffer full. Try later. */ } else if (result == 0) /* Socket buffer full. Try later. */
return (0); return (0);