iiiypuk/hexchat
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix possible out of bounds read when being ctcp flooded

Browse Source 
Note that this is unlikely to be triggerable by another user.

Thanks to @dequis for discovering.
This commit is contained in:
Patrick Griffis 2018-03-02 20:48:54 -05:00
parent 8aa3b03261
commit 6e4fc09ce0
1 changed files with 15 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/common/ignore.c
View File

@ -340,17 +340,6 @@ flood_autodialog_timeout (gpointer data)
int int
flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ctcp 1=priv */ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ctcp 1=priv */
{ {
/*
serv
int ctcp_counter;
time_t ctcp_last_time;
prefs
unsigned int ctcp_number_limit;
unsigned int ctcp_time_limit;
*/
char buf[512];
char real_ip[132];
int i;
time_t current_time; time_t current_time;
current_time = time (NULL); current_time = time (NULL);
@ -367,20 +356,24 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ct
serv->ctcp_counter++; serv->ctcp_counter++;
if (serv->ctcp_counter == prefs.hex_flood_ctcp_num) /*if we reached the maximun numbers of ctcp in the seconds limits */ if (serv->ctcp_counter == prefs.hex_flood_ctcp_num) /*if we reached the maximun numbers of ctcp in the seconds limits */
{ {
char *mask, *message, *real_ip;
serv->ctcp_last_time = current_time; /*we got the flood, restore all the vars for next one */ serv->ctcp_last_time = current_time; /*we got the flood, restore all the vars for next one */
serv->ctcp_counter = 0; serv->ctcp_counter = 0;
for (i = 0; i < 128; i++)
if (ip[i] == '@')
break;
g_snprintf (real_ip, sizeof (real_ip), "*!*%s", &ip[i]);
g_snprintf (buf, sizeof (buf), real_ip = strchr (ip, '@');
_("You are being CTCP flooded from %s, ignoring %s\n"), if (real_ip != NULL)
nick, real_ip); mask = g_strdup_printf ("*!*%s", real_ip);
PrintText (sess, buf); else
mask = g_strdup_printf ("%s!*", nick);
/* ignore CTCP */ message = g_strdup_printf (_("You are being CTCP flooded from %s, ignoring %s\n"), nick, mask);
ignore_add (real_ip, IG_CTCP, FALSE);
PrintText (sess, message);
ignore_add (mask, IG_CTCP, FALSE);
g_free (message);
g_free (mask);
return 0; return 0;
} }
} }
@ -396,6 +389,7 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ct
if (difftime (current_time, serv->msg_last_time) < if (difftime (current_time, serv->msg_last_time) <
prefs.hex_flood_msg_time) prefs.hex_flood_msg_time)
{ {
char buf[512];
serv->msg_counter++; serv->msg_counter++;
if (serv->msg_counter == prefs.hex_flood_msg_num) /*if we reached the maximun numbers of ctcp in the seconds limits */ if (serv->msg_counter == prefs.hex_flood_msg_num) /*if we reached the maximun numbers of ctcp in the seconds limits */
{ {