[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEW ircii/bitchx(/epic?) overflow (fwd)

Does ircd2.9 send lines longer than 511 bytes to the client?

-----
Mikael Abrahamsson    email: swmike@xxxxxxxxx

---------- Forwarded message ----------
Date: Tue, 2 Jun 1998 00:07:49 +0200
From: forcer <forcer@xxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxx
Subject: Re: NEW ircii/bitchx(/epic?) overflow

On Sat, May 30, 1998 at 06:48:07PM +0200, Paul Boehm wrote:
>Hi,
>i think i've found a new (exploitable) bug in ircii and the likes.
[...]
>Special thanks go out to forcer from #linux.de who helped
>me testing the bug and currently is working on a patch for it.
Patch is done, available under
        http://webserver.de/forcer/code/patch-ircii-4.4+noinfect
and appended.
The problem also showed up in the ssfe frontend to sirc
        http://webserver.de/forcer/code/patch-sirc-2.211+noinfect
EPIC and tirc are secure as it seems
In short, the IRC clients do not expect a long, non-terminated line,
as RFC1459 (IRC protocl) specifies a maximal line length of 511 bytes
plus the newline.
The ircII maintainers notified me that the patch won't go into the client
as it is, since not many unices have the snprintf() function.
Patch follows:

diff -urN ircii-4.4/source/hook.c ircii-4.4-noinfect/source/hook.c
--- ircii-4.4/source/hook.c     Mon Apr 21 08:34:00 1997
+++ ircii-4.4-noinfect/source/hook.c    Sat May 30 20:11:28 1998
@@ -431,7 +431,7 @@

 #ifdef HAVE_STDARG_H
        va_start(vl, format);
-       vsprintf(buffer, format, vl);
+       vsnprintf(buffer, BIG_BUFFER_SIZE+1, format, vl);
        va_end(vl);
 #else
        sprintf(buffer, format, arg1, arg2, arg3, arg4, arg5, arg6);


        -forcer

--
/* Never make any mistaeks.                                               */
/* email: forcer@xxxxxxxxxxxxxxxxx -><- www: http://mailserver.de/forcer/ */
/* IRC: forcer (#StarWars@IRCnet)  -><- PGP: mail with subject "send pgp" */