From 55190f2d3ddf9b4bd43b0555df784c95eed82390 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 22 May 2010 17:03:54 +0200 Subject: [PATCH] Don't access already freed memory in IRC_KILL() It is not possible to call Conn_Close() after Client_Destroy() has been called, because Conn_Close wants to access the CLIENT structure which then has been freed already. Fix IRC_KILL to use Conn_Close() for local clients and Client_Destroy() for remote clients only (and never both). --- src/ngircd/irc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/ngircd/irc.c b/src/ngircd/irc.c index b4db3b77..0cb9a6e5 100644 --- a/src/ngircd/irc.c +++ b/src/ngircd/irc.c @@ -160,11 +160,15 @@ IRC_KILL( CLIENT *Client, REQUEST *Req ) Client_Type( c ), Req->argv[0] ); } - /* Kill client NOW! */ + /* Kill the client NOW: + * - Close the local connection (if there is one), + * - Destroy the CLIENT structure for remote clients. + * Note: Conn_Close() removes the CLIENT structure as well. */ conn = Client_Conn( c ); - Client_Destroy( c, NULL, reason, false ); - if( conn > NONE ) - Conn_Close( conn, NULL, reason, true ); + if(conn > NONE) + Conn_Close(conn, NULL, reason, true); + else + Client_Destroy(c, NULL, reason, false); } else Log( LOG_NOTICE, "Client with nick \"%s\" is unknown here.", Req->argv[0] );