From 6e4fc09ce005db965523ef8930ea51ca429815a2 Mon Sep 17 00:00:00 2001 From: Patrick Griffis Date: Fri, 2 Mar 2018 20:48:54 -0500 Subject: [PATCH] Fix possible out of bounds read when being ctcp flooded Note that this is unlikely to be triggerable by another user. Thanks to @dequis for discovering. --- src/common/ignore.c | 36 +++++++++++++++--------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/src/common/ignore.c b/src/common/ignore.c index 1d1eaf20..8bf0d57f 100644 --- a/src/common/ignore.c +++ b/src/common/ignore.c @@ -340,17 +340,6 @@ flood_autodialog_timeout (gpointer data) int flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ctcp 1=priv */ { - /* - serv - int ctcp_counter; - time_t ctcp_last_time; - prefs - unsigned int ctcp_number_limit; - unsigned int ctcp_time_limit; - */ - char buf[512]; - char real_ip[132]; - int i; time_t current_time; current_time = time (NULL); @@ -367,20 +356,24 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ct serv->ctcp_counter++; if (serv->ctcp_counter == prefs.hex_flood_ctcp_num) /*if we reached the maximun numbers of ctcp in the seconds limits */ { + char *mask, *message, *real_ip; + serv->ctcp_last_time = current_time; /*we got the flood, restore all the vars for next one */ serv->ctcp_counter = 0; - for (i = 0; i < 128; i++) - if (ip[i] == '@') - break; - g_snprintf (real_ip, sizeof (real_ip), "*!*%s", &ip[i]); - g_snprintf (buf, sizeof (buf), - _("You are being CTCP flooded from %s, ignoring %s\n"), - nick, real_ip); - PrintText (sess, buf); + real_ip = strchr (ip, '@'); + if (real_ip != NULL) + mask = g_strdup_printf ("*!*%s", real_ip); + else + mask = g_strdup_printf ("%s!*", nick); - /* ignore CTCP */ - ignore_add (real_ip, IG_CTCP, FALSE); + message = g_strdup_printf (_("You are being CTCP flooded from %s, ignoring %s\n"), nick, mask); + + PrintText (sess, message); + ignore_add (mask, IG_CTCP, FALSE); + + g_free (message); + g_free (mask); return 0; } } @@ -396,6 +389,7 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ct if (difftime (current_time, serv->msg_last_time) < prefs.hex_flood_msg_time) { + char buf[512]; serv->msg_counter++; if (serv->msg_counter == prefs.hex_flood_msg_num) /*if we reached the maximun numbers of ctcp in the seconds limits */ {