Fix heap-use-after-free

eggheads · Jul 10, 2024 · a9c4780 · a9c4780
1 parent d2ffcea
commit a9c4780
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/dcc.c b/src/dcc.c
@@ -360,8 +360,14 @@ static char *get_bot_pass(struct userrec *u) {
     if (pass2) {
       if (!pass) {
         pass = pass2;
-        if (encrypt_pass)
+        if (encrypt_pass) {
+	  /* get_user() returns a pointer of struct user_entry
+           * and set_user()->pass2_set() could free() and realloc it
+	   * so fetch it again with get_user()
+	   */
           set_user(&USERENTRY_PASS, u, pass);
+          pass = get_user(&USERENTRY_PASS2, u);
+	}
       } else if (strcmp(pass2, pass) && encrypt_pass2)
         pass = pass2;
     } else if (pass && encrypt_pass2)