Description: Fixed a DoS attack against imap/pop3-login processes
 CVE-2014-3430: If SSL/TLS handshake was started but wasn't finished,
 the login process attempted to eventually forcibly disconnect the
 client, but failed to do it correctly. This could have left the
 connections hanging arond for a long time.
Bug-Debian: http://bugs.debian.org/747549 
Origin: upstream, http://hg.dovecot.org/dovecot-2.1/rev/b7ac23b4d339
Author: Timo Sirainen <tss@iki.fi>
Last-Update: 2014-06-08
Applied-Upstream: 2.2.13

diff -r b20b4071a282 -r b7ac23b4d339 src/login-common/client-common.c
--- a/src/login-common/client-common.c	Mon Aug 05 14:06:23 2013 +0300
+++ b/src/login-common/client-common.c	Wed May 07 17:26:21 2014 +0300
@@ -142,6 +142,8 @@
 		last_client = client->prev;
 	DLLIST_REMOVE(&clients, client);
 
+	if (!client->login_success && client->ssl_proxy != NULL)
+		ssl_proxy_destroy(client->ssl_proxy);
 	if (client->input != NULL)
 		i_stream_close(client->input);
 	if (client->output != NULL)
diff -r b20b4071a282 -r b7ac23b4d339 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Mon Aug 05 14:06:23 2013 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Wed May 07 17:26:21 2014 +0300
@@ -108,7 +108,6 @@
 static void ssl_read(struct ssl_proxy *proxy);
 static void ssl_write(struct ssl_proxy *proxy);
 static void ssl_step(struct ssl_proxy *proxy);
-static void ssl_proxy_destroy(struct ssl_proxy *proxy);
 static void ssl_proxy_unref(struct ssl_proxy *proxy);
 
 static struct ssl_server_context *
@@ -783,7 +782,7 @@
 	i_free(proxy);
 }
 
-static void ssl_proxy_destroy(struct ssl_proxy *proxy)
+void ssl_proxy_destroy(struct ssl_proxy *proxy)
 {
 	if (proxy->destroyed)
 		return;
diff -r b20b4071a282 -r b7ac23b4d339 src/login-common/ssl-proxy.h
--- a/src/login-common/ssl-proxy.h	Mon Aug 05 14:06:23 2013 +0300
+++ b/src/login-common/ssl-proxy.h	Wed May 07 17:26:21 2014 +0300
@@ -31,6 +31,7 @@
 const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy);
 const char *ssl_proxy_get_compression(struct ssl_proxy *proxy);
 const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy);
+void ssl_proxy_destroy(struct ssl_proxy *proxy);
 void ssl_proxy_free(struct ssl_proxy **proxy);
 
 /* Return number of active SSL proxies */