From a3db4e577307742965f5ba75daf03146164bd211 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Mon, 16 Oct 2017 20:31:21 -0400 Subject: [PATCH] Fix oob read in ctcp_check word[4] can be too short, leading to the addition of ctcp_offset putting us out of bounds. This results in an oob read in ctcp_check. --- src/common/ctcp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/common/ctcp.c b/src/common/ctcp.c index bf0a8e7f..a8e1ea8d 100644 --- a/src/common/ctcp.c +++ b/src/common/ctcp.c @@ -148,6 +148,9 @@ ctcp_handle (session *sess, char *to, char *nick, char *ip, serv->p_nctcp (serv, nick, outbuf); } + if (word[4][1] == '\0') + return; + if (!ctcp_check (sess, nick, word, word_eol, word[4] + ctcp_offset)) { if (!g_ascii_strncasecmp (msg, "SOUND", 5))