summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpschwan <pschwan>2006-11-21 18:42:37 (GMT)
committerpschwan <pschwan>2006-11-21 18:42:37 (GMT)
commitabcb1f4e668d8e3df9d7accd6a1f470649a4443e (patch)
treec3d4603ae781bab8951ccd96a818e25808ddb8d7
parent715e118304ec4c342f6d856d50484caa67d4a73a (diff)
downloadmoo-abcb1f4e668d8e3df9d7accd6a1f470649a4443e.zip
moo-abcb1f4e668d8e3df9d7accd6a1f470649a4443e.tar.gz
moo-abcb1f4e668d8e3df9d7accd6a1f470649a4443e.tar.bz2
moo-abcb1f4e668d8e3df9d7accd6a1f470649a4443e.tar.xz
b=1500775
fixes two use-after-free bugs that could lead very rarely to calling the wrong functions during player connection
-rw-r--r--ChangeLog.txt3
-rw-r--r--server.c9
2 files changed, 10 insertions, 2 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt
index 653879b..4c51c98 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -2388,6 +2388,9 @@ Version 1.8.3, in progress
decrease startup time on large databases.
-- SF bug #1552816: fixed an issue that could cause tracebacks in emergency mode
to produce "Unknown Var type" errors
+-- SF bug #1500775: fixed two use-after-free bugs that could lead very rarely to
+ calling the wrong functions during player connection (Thanks Garance Drosehn
+ for the report and initial patch.)
**** Changes relevant to programmers / wizards:
-- SF bug #227620: add_verb() now returns (positive integer) verb index
-- bf_crypt() now passes salts longer than 2 characters to the underlying C
diff --git a/server.c b/server.c
index f7aa9c9..0ab6f7d 100644
--- a/server.c
+++ b/server.c
@@ -1065,7 +1065,6 @@ player_connected(Objid old_id, Objid new_id, int is_newly_created)
send_message(new_h->listener, new_h->nhandle, "redirect_to_msg",
"*** Redirecting old connection to this port ***", 0);
network_close(existing_h->nhandle);
- free_shandle(existing_h);
if (existing_h->listener == new_h->listener)
call_notifier(new_id, new_h->listener, "user_reconnected");
else {
@@ -1073,6 +1072,7 @@ player_connected(Objid old_id, Objid new_id, int is_newly_created)
"user_client_disconnected");
call_notifier(new_id, new_h->listener, "user_connected");
}
+ free_shandle(existing_h);
} else {
oklog("%s: %s on %s\n",
is_newly_created ? "CREATED" : "CONNECTED",
@@ -1740,7 +1740,7 @@ bf_buffered_output_length(Var arglist, Byte next, void *vdata, Objid progr)
if (nargs == 0)
r.v.num = MAX_QUEUED_OUTPUT;
else {
- shandle *h = find_shandle(arglist.v.list[1].v.obj);
+ shandle *h = find_shandle(conn);
if (!h)
return make_error_pack(E_INVARG);
@@ -1790,6 +1790,11 @@ char rcsid_server[] = "$Id$";
/*
* $Log$
+ * Revision 1.10 2006/11/21 18:42:37 pschwan
+ * b=1500775
+ * fixes two use-after-free bugs that could lead very rarely to
+ * calling the wrong functions during player connection
+ *
* Revision 1.9 2005/09/29 18:46:18 bjj
* Add third argument to open_network_connection() that associates a specific listener object with the new connection. This simplifies a lot of outbound connection management.
*