commit 55190f2d3ddf9b4bd43b0555df784c95eed82390
from: Alexander Barton <alex@barton.de>
date: Sat May 22 15:03:54 2010 UTC

Don't access already freed memory in IRC_KILL()

It is not possible to call Conn_Close() after Client_Destroy() has been
called, because Conn_Close wants to access the CLIENT structure which
then has been freed already.

Fix IRC_KILL to use Conn_Close() for local clients and Client_Destroy()
for remote clients only (and never both).

commit - 6dc80bd195ad0760bb560177d6f91c86b7698758
commit + 55190f2d3ddf9b4bd43b0555df784c95eed82390
blob - b4db3b77473955f6c04c5952df444f9f2692c190
blob + 0cb9a6e546b059518c7f5b3a187cec74c5332243
--- src/ngircd/irc.c
+++ src/ngircd/irc.c
@@ -160,11 +160,15 @@ IRC_KILL( CLIENT *Client, REQUEST *Req )
 			     Client_Type( c ), Req->argv[0] );
 		}
 
-		/* Kill client NOW! */
+		/* Kill the client NOW:
+		 *  - Close the local connection (if there is one),
+		 *  - Destroy the CLIENT structure for remote clients.
+		 * Note: Conn_Close() removes the CLIENT structure as well. */
 		conn = Client_Conn( c );
-		Client_Destroy( c, NULL, reason, false );
-		if( conn > NONE )
-			Conn_Close( conn, NULL, reason, true );
+		if(conn > NONE)
+			Conn_Close(conn, NULL, reason, true);
+		else
+			Client_Destroy(c, NULL, reason, false);
 	}
 	else
 		Log( LOG_NOTICE, "Client with nick \"%s\" is unknown here.", Req->argv[0] );