[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: topiclen fix

tisdag 16 januari 2001 23:16 skrev du:
> On Tue, Jan 16, 2001 at 11:11:13PM +0100, Per von Zweigbergk wrote:
> > I could look into that. It shouldn't be very hard. Or maybe it will, if
> > the pointer to the topic is stored somewhere else than in the channel
> > struct.
>
> It is not hard, I think fiction is already working on that.
>
> p.

Well... I've already written a patch on this. I don't have anywhere to test 
it, but it *should* work. If it doesn't, it's probably some null pointer 
somewhere.

This might introduce some buffer overflow remote exploits, because I don't 
check bounds anywhere, but I assume this won't ever be triggered, because the 
maximum message length that a user can send to the server is fixed. This 
might also introduce a memory leak or two.

Apply by standing in the source tree and using patch -p1.

/pv2b
diff -ur irc2.10.3p1/common/struct_def.h irc2.10.3p1+infinitetopic/common/struct_def.h
--- irc2.10.3p1/common/struct_def.h	Wed Jun  7 00:32:57 2000
+++ irc2.10.3p1+infinitetopic/common/struct_def.h	Wed Jan 17 00:47:44 2001
@@ -567,7 +567,7 @@
 	struct	Channel *nextch, *prevch, *hnextch;
 	u_int	hashv;		/* raw hash value */
 	Mode	mode;
-	char	topic[TOPICLEN+1];
+	char	*topic;
 	int	users;		/* current membership total */
 	Link	*members;	/* channel members */
 	Link	*invites;	/* outstanding invitations */
diff -ur irc2.10.3p1/ircd/channel.c irc2.10.3p1+infinitetopic/ircd/channel.c
--- irc2.10.3p1/ircd/channel.c	Wed Jun  7 00:34:27 2000
+++ irc2.10.3p1+infinitetopic/ircd/channel.c	Wed Jan 17 00:48:33 2001
@@ -564,50 +564,49 @@
 		MODE_QUIET;
 
 	chptr = get_channel(mp, "&ERRORS", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: server errors");
+	chptr->topic = strdup("SERVER MESSAGES: server errors");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&NOTICES", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: warnings and notices");
+	chptr->topic = strdup("SERVER MESSAGES: warnings and notices");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&KILLS", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: operator and server kills");
+	chptr->topic = strdup("SERVER MESSAGES: operator and server kills");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&CHANNEL", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: fake modes");
+	chptr->topic = strdup("SERVER MESSAGES: fake modes");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&NUMERICS", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: numerics received");
+	chptr->topic = strdup("SERVER MESSAGES: numerics received");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&SERVERS", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: servers joining and leaving");
+	chptr->topic = strdup("SERVER MESSAGES: servers joining and leaving");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&HASH", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: hash tables growth");
+	chptr->topic = strdup("SERVER MESSAGES: hash tables growth");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&LOCAL", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: notices about local connections");
+	chptr->topic = strdup("SERVER MESSAGES: notices about local connections");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 	chptr = get_channel(mp, "&SERVICES", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: services joining and leaving");
+	chptr->topic = strdup("SERVER MESSAGES: services joining and leaving");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 #if defined(USE_IAUTH)
 	chptr = get_channel(mp, "&AUTH", CREATE);
-	strcpy(chptr->topic,
-	       "SERVER MESSAGES: messages from the authentication slave");
+	chptr->topic = strdup("SERVER MESSAGES: messages from the authentication slave");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode;
 #endif
 	chptr = get_channel(mp, "&DEBUG", CREATE);
-	strcpy(chptr->topic, "SERVER MESSAGES: debug messages [you shouldn't be here! ;)]");
+	chptr->topic = strdup("SERVER MESSAGES: debug messages [you shouldn't be here! ;)]");
 	add_user_to_channel(chptr, mp, CHFL_CHANOP);
 	chptr->mode.mode = smode|MODE_SECRET;
 
@@ -1826,6 +1825,12 @@
 		chptr->prevch = NULL;
 		chptr->nextch = channel;
 		chptr->history = 0;
+		chptr->topic = malloc(1);
+		if (chptr->topic == NULL) {
+			free (chptr);
+			return NULL;
+		}
+		chptr->topic[0] = '\0';
 		channel = chptr;
 		(void)add_to_channel_hash_table(chname, chptr);
 	    }
@@ -1946,8 +1951,10 @@
 
 		if (*chptr->chname == '!' && close_chid(chptr->chname+1))
 			cache_chid(chptr);
-		else
+		else {
+			free (chptr->topic);
 			MyFree((char *)chptr);
+		}
 	    }
 }
 
@@ -2747,7 +2754,8 @@
 		else if ((chptr->mode.mode & MODE_TOPICLIMIT) == 0 ||
 			 is_chan_op(sptr, chptr))
 		    {	/* setting a topic */
-			strncpyzt(chptr->topic, topic, sizeof(chptr->topic));
+			free (chptr->topic);
+			chptr->topic = strdup(topic);
 			sendto_match_servs(chptr, cptr,":%s TOPIC %s :%s",
 					   parv[0], chptr->chname,
 					   chptr->topic);