* irc7 buffer overflow
@ 2020-04-21 1:46 Silas McCroskey
0 siblings, 0 replies; only message in thread
From: Silas McCroskey @ 2020-04-21 1:46 UTC (permalink / raw)
To: 9front
[-- Attachment #1: Type: text/plain, Size: 2039 bytes --]
I know irc7 is not in the main repo, but I don't know of a better list to
send this to.
I've sent the patch to khm via IRC already, and he merged it into
http://code.9front.org/hg/irc7 for anyone pulling from there.
- sam-d
---
irc7's pmsg function currently allocates a "big-enough" buffer and
sprints into it without checking lengths; this can be tripped at least
by the client sending a huge message from the command line, but the
same code is used for processing messages from the server.
Given that an offending message almost certainly originated from the
client (given IRC message size limits) and was either in error or an
intentional attempt to exploit this, catching a huge message earlier
in the process, printing a warning, and doing nothing else would
likely be a better solution. Going with this for the following
reasons:
1. It's a simpler patch.
2. It guards against the vague potential of a server forwarding a huge
message, which could make this remotely exploitable.
---
diff -r 22e155be6a0f irc.c
--- a/irc.c Mon Apr 20 17:25:25 2020 -0700
+++ b/irc.c Tue Apr 21 01:05:53 2020 +0000
@@ -531,7 +531,7 @@
pmsg(int, char *time, char *pre, char *, char *par[])
{
int n = 0;
- char buf[8192];
+ char *buf;
char *c, *tc;
/*
@@ -549,12 +549,15 @@
}
if(!pre)
- sprint(buf, "%s (%s) ⇐ %s\n", time, par[0], par[1]);
+ buf = smprint("%s (%s) ⇐ %s\n", time, par[0], par[1]);
else if(*par[0] != '#')
- sprint(buf, "%s (%s) ⇒ %s\n", time, pre, par[1]);
+ buf = smprint("%s (%s) ⇒ %s\n", time, pre, par[1]);
else
- sprint(buf, "%s %s → %s\n", time, pre, par[1]);
+ buf = smprint("%s %s → %s\n", time, pre, par[1]);
+ if(!buf)
+ sysfatal("failed to allocate space for message: %r\n");
+
c = buf;
again:
if(strlen(c) >= linewidth) {
@@ -572,6 +575,7 @@
}
}
n += fprint(scr, "%s", c);
+ free(buf);
return n;
}
[-- Attachment #2: irc7-buffer-overflow.patch --]
[-- Type: text/x-patch, Size: 880 bytes --]
diff -r 22e155be6a0f irc.c
--- a/irc.c Mon Apr 20 17:25:25 2020 -0700
+++ b/irc.c Tue Apr 21 01:05:53 2020 +0000
@@ -531,7 +531,7 @@
pmsg(int, char *time, char *pre, char *, char *par[])
{
int n = 0;
- char buf[8192];
+ char *buf;
char *c, *tc;
/*
@@ -549,12 +549,15 @@
}
if(!pre)
- sprint(buf, "%s (%s) ⇐ %s\n", time, par[0], par[1]);
+ buf = smprint("%s (%s) ⇐ %s\n", time, par[0], par[1]);
else if(*par[0] != '#')
- sprint(buf, "%s (%s) ⇒ %s\n", time, pre, par[1]);
+ buf = smprint("%s (%s) ⇒ %s\n", time, pre, par[1]);
else
- sprint(buf, "%s %s → %s\n", time, pre, par[1]);
+ buf = smprint("%s %s → %s\n", time, pre, par[1]);
+ if(!buf)
+ sysfatal("failed to allocate space for message: %r\n");
+
c = buf;
again:
if(strlen(c) >= linewidth) {
@@ -572,6 +575,7 @@
}
}
n += fprint(scr, "%s", c);
+ free(buf);
return n;
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-04-21 1:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-21 1:46 irc7 buffer overflow Silas McCroskey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).