commit d24df64397015732bc6cc1c36a4710fc4db271f1
from: Alexander Barton <alex@barton.de>
date: Fri Aug 23 19:43:37 2013 UTC

Correctly handle return code of Handle_Write()

There have been code paths that ignored the return code of Handle_Write()
when sending "notice auth" messages to new clients connecting to the
server. But because Handle_Write() would have closed the client connection
again if an error occurred, this would have resulted in new errors and
assert()'s later on that could have crashed the server (denial of service).

Only setups having the configuration option "NoticeAuth" enabled are
affected, which is not the default.

CVE-2013-5580.

(cherry picked from commit 309122017ebc6fff039a7cab1b82f632853d82d5)

commit - c45d9dd1f08fddb95fa01d62c69848cd753a3161
commit + d24df64397015732bc6cc1c36a4710fc4db271f1
blob - 80b085a83e2f3e4b6108ed36c30c8358ff5ac441
blob + e3921f9ffc285472a1fe6b869732092442d98ad7
--- src/ngircd/conn.c
+++ src/ngircd/conn.c
@@ -1547,7 +1547,11 @@ Conn_StartLogin(CONN_ID Idx)
 #endif
 			(void)Conn_WriteStr(Idx,
 				"NOTICE AUTH :*** Looking up your hostname");
-		(void)Handle_Write(Idx);
+		/* Send buffered data to the client, but break on errors
+		 * because Handle_Write() would have closed the connection
+		 * again in this case! */
+		if (!Handle_Write(Idx))
+			return;
 	}
 
 	Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr,
@@ -2339,8 +2343,13 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events
 		}
 #endif
 
-		if (Conf_NoticeAuth)
-			(void)Handle_Write(i);
+		if (Conf_NoticeAuth) {
+			/* Send buffered data to the client, but break on
+			 * errors because Handle_Write() would have closed
+			 * the connection again in this case! */
+			if (!Handle_Write(i))
+				return;
+		}
 
 		Class_HandleServerBans(c);
 	}