commit b4393277ea1cc67bc8433fcbeded3fc2186f5c54
from: Alexander Barton <alex@barton.de>
date: Sat Mar 09 16:44:34 2013 UTC

Don't read SSL client data before DNS resolver is finished

Fix the cb_clientserver_ssl() callback function to not read in and store SSL
encrypted client data before the asynchronous DNS resolver sub-process has
finished: This could have resulted in discarding the resolved client hostname
and IDENT reply afterwards, because in some situations (timing dependent) the
NICK and USER commands could have already been read in from the client,
stored in the buffer, and been processed.

Thanks to Julian Brost for reporting the issue and testing, and to Federico
G. Schwindt <fgsch@lodoss.net> for helping to debug it!

commit - b33da9b8f3e46f3174093c01aa9e75b65964ecf2
commit + b4393277ea1cc67bc8433fcbeded3fc2186f5c54
blob - 3c1427d5461272ac83a68c21e769f557bc80d472
blob + eeedb4411b7c9abfb60c7a48ce29afdc646c72a1
--- src/ngircd/conn.c
+++ src/ngircd/conn.c
@@ -367,13 +367,13 @@ cb_clientserver(int sock, short what)
 
 #ifdef SSL_SUPPORT
 /**
- * IO callback for established SSL-enabled client and server connections.
+ * IO callback for new SSL-enabled client and server connections.
  *
  * @param sock	Socket descriptor.
  * @param what	IO specification (IO_WANTREAD/IO_WANTWRITE/...).
  */
 static void
-cb_clientserver_ssl(int sock, short what)
+cb_clientserver_ssl(int sock, UNUSED short what)
 {
 	CONN_ID idx = Socket2Index(sock);
 
@@ -390,14 +390,11 @@ cb_clientserver_ssl(int sock, short what)
 	case 0:
 		return;	/* EAGAIN: callback will be invoked again by IO layer */
 	default:
-		Conn_Close(idx, "SSL accept error, closing socket", "SSL accept error", false);
+		Conn_Close(idx,
+			   "SSL accept error, closing socket", "SSL accept error",
+			   false);
 		return;
 	}
-	if (what & IO_WANTREAD)
-		Read_Request(idx);
-
-	if (what & IO_WANTWRITE)
-		Handle_Write(idx);
 
 	io_event_setcb(sock, cb_clientserver);	/* SSL handshake completed */
 }