Package: dovecot / 1:2.2.13-12~deb8u4

0004-Fix-CVE-2017-15132-memory-leak-on-aborted-SASL-auth.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
From 7a4fba03c515753618aa9dcde8d0052b5bfed3df Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Tue, 30 Jan 2018 22:48:27 +0200
Subject: [PATCH 4/4] Fix CVE-2017-15132: memory leak on aborted SASL auth

Backport upstream commits and 4e28c31250096ee5e8c739c03f8290f95c473ce0
e2236c3d73efdb2634acf8fea3c2dc8d9702ca09.

 commit 4e28c31250096ee5e8c739c03f8290f95c473ce0
 Author: Timo Sirainen <timo.sirainen@dovecot.fi>
 Date:   Mon Dec 18 16:50:51 2017 +0200

     lib-auth: Fix memory leak in auth_client_request_abort()

     This caused memory leaks when authentication was aborted. For example
     with IMAP:

     a AUTHENTICATE PLAIN
     *

     Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021

 commit e2236c3d73efdb2634acf8fea3c2dc8d9702ca09
 Author: Aki Tuomi <aki.tuomi@dovecot.fi>
 Date:   Fri Jan 26 10:55:54 2018 +0200

     lib-auth: Remove request after abort

     Otherwise the request will still stay in hash table
     and get dereferenced when all requests are aborted
     causing an attempt to access free'd memory.

     Found by Apollon Oikonomopoulos <apoikos@debian.org>

     Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060
---
 src/lib-auth/auth-client-request.c    | 3 +++
 src/lib-auth/auth-server-connection.c | 7 +++++++
 src/lib-auth/auth-server-connection.h | 2 ++
 3 files changed, 12 insertions(+)

diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
index b490a0a7d..152e98160 100644
--- a/src/lib-auth/auth-client-request.c
+++ b/src/lib-auth/auth-client-request.c
@@ -165,6 +165,9 @@ void auth_client_request_abort(struct auth_client_request **_request)
 
 	auth_client_send_cancel(request->conn->client, request->id);
 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
+	/* remove the request */
+	auth_server_connection_remove_request(request->conn, request->id);
+	pool_unref(&request->pool);
 }
 
 unsigned int auth_client_request_get_id(struct auth_client_request *request)
diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c
index 034f5389e..b67ef0fe5 100644
--- a/src/lib-auth/auth-server-connection.c
+++ b/src/lib-auth/auth-server-connection.c
@@ -479,3 +479,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn,
 	hash_table_insert(conn->requests, POINTER_CAST(id), request);
 	return id;
 }
+
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id)
+{
+	i_assert(conn->handshake_received);
+	hash_table_remove(conn->requests, POINTER_CAST(id));
+}
diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h
index 51fc7f24b..615ea7e9a 100644
--- a/src/lib-auth/auth-server-connection.h
+++ b/src/lib-auth/auth-server-connection.h
@@ -38,4 +38,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn,
 unsigned int
 auth_server_connection_add_request(struct auth_server_connection *conn,
 				   struct auth_client_request *request);
+void auth_server_connection_remove_request(struct auth_server_connection *conn,
+					   unsigned int id);
 #endif
-- 
2.15.1