fixes some potential remote buffer overflows

http://marc.theaimsgroup.com/?l=bugtraq&m=104766521328322&w=2
2003-03-27 15:46:11 +00:00 · 2003-03-27 15:46:11 +00:00 · 40a1bb306e
commit 40a1bb306e
parent 21cb6d946a
7 changed files with 276 additions and 9 deletions
--- a/net/bitchx/Makefile
+++ b/net/bitchx/Makefile
@ -1,18 +1,19 @@
-# $OpenBSD: Makefile,v 1.35 2002/10/28 01:38:44 naddy Exp $
+# $OpenBSD: Makefile,v 1.36 2003/03/27 15:46:11 brad Exp $
 # $FreeBSD: Makefile,v 1.3 1998/07/21 11:38:44 eivind Exp $

 COMMENT=	"alternative ircII color client"

 VERSION=	1.0c18
 DISTNAME=	ircii-pana-${VERSION}
-PKGNAME=	BitchX-${VERSION}
+PKGNAME=	BitchX-${VERSION}p1
 CATEGORIES=	net

-MASTER_SITES=	ftp://ftp.bitchx.com/pub/BitchX/source/ \
-		ftp://ftp.bitchx.org/pub/BitchX/source/
+MASTER_SITES=	ftp://ftp.bitchx.com/pub/BitchX/source/old/ \
+		ftp://ftp.bitchx.org/pub/BitchX/source/old/

 MAINTAINER=	Vincent Derrien <vincent.derrien@free.fr>

+# BSD
 PERMIT_PACKAGE_CDROM=	Yes
 PERMIT_PACKAGE_FTP=	Yes
 PERMIT_DISTFILES_CDROM=	Yes
--- a/net/bitchx/patches/patch-source_banlist_c
+++ b/net/bitchx/patches/patch-source_banlist_c
@ -0,0 +1,67 @@
+$OpenBSD: patch-source_banlist_c,v 1.1 2003/03/27 15:46:11 brad Exp $
+--- source/banlist.c.orig	Mon Jan  8 01:24:22 2001
+++ source/banlist.c	Wed Mar 26 23:00:45 2003
+@@ -260,9 +260,9 @@ char *p;
+ char * ban_it(char *nick, char *user, char *host, char *ip)
+ {
+ static char banstr[BIG_BUFFER_SIZE/4+1];
+-char *tmpstr = NULL;
+ char *t = user;
+ char *t1 = user;
+char *tmp;
+ 	
+ 	*banstr = 0;
+ 	while (strlen(t1)>9)
+@@ -273,32 +273,40 @@ char *t1 = user;
+ 		case 7:
+ 			if (ip)
+ 			{
+-				sprintf(banstr, "*!*@%s", cluster(ip));
+				snprintf(banstr, sizeof banstr, "*!*@%s",
+					cluster(ip));
+ 				break;
+ 			}
+ 		case 2: /* Better 	*/
+-			sprintf(banstr, "*!*%s@%s", t1, cluster(host));
+			snprintf(banstr, sizeof banstr, "*!*%s@%s", t1, 
+				cluster(host));
+ 			break;
+ 		case 3: /* Host 	*/
+-			sprintf(banstr, "*!*@%s", host);
+			snprintf(banstr, sizeof banstr, "*!*@%s", host);
+ 			break;
+ 		case 4: /* Domain	*/
+-			sprintf(banstr, "*!*@*%s", strrchr(host, '.'));
+-			break;
+			tmp = strrchr(host, '.');
+			if (tmp) {
+				snprintf(banstr, sizeof banstr, "*!*@*%s",
+					tmp);
+			} else {
+				snprintf(banstr, sizeof banstr, "*!*@%s", 
+					host);
+			}
+			break;	
+ 		case 5: /* User		*/
+-			sprintf(banstr, "*!%s@%s", t, cluster(host));
+			snprintf(banstr, sizeof banstr, "*!%s@%s", t, 
+				cluster(host));
+ 			break;
+ 		case 6: /* Screw 	*/
+-			malloc_sprintf(&tmpstr, "*!*%s@%s", t1, host);
+-			strcpy(banstr, screw(tmpstr));
+-			new_free(&tmpstr);
+			snprintf(banstr, sizeof banstr, "*!*%s@%s", t1, host);
+			screw(banstr);
+ 			break;
+ 		case 1:	/* Normal 	*/
+ 		default:
+-		{
+-			sprintf(banstr, "%s!*%s@%s", nick, t1, host);
+			snprintf(banstr, sizeof banstr, "%s!*%s@%s", nick, t1,
+				host);
+ 			break;
+-		}
+ 	}
+ 	return banstr;
+ }
--- a/net/bitchx/patches/patch-source_ctcp_c
+++ b/net/bitchx/patches/patch-source_ctcp_c
@ -0,0 +1,14 @@
+$OpenBSD: patch-source_ctcp_c,v 1.1 2003/03/27 15:46:11 brad Exp $
+--- source/ctcp.c.orig	Mon Jan  8 01:24:22 2001
+++ source/ctcp.c	Wed Mar 26 23:00:45 2003
+@@ -1478,6 +1478,10 @@ extern	void	send_ctcp (int type, char *t
+ 	     *putbuf2;
+ 	int len;
+ 	len = IRCD_BUFFER_SIZE - (12 + strlen(to));
+
+	if (len < strlen(ctcp_cmd[datatag].name) + 3)
+		return;
+
+ 	putbuf2 = alloca(len);
+ 
+ 	if (format)
--- a/net/bitchx/patches/patch-source_misc_c
+++ b/net/bitchx/patches/patch-source_misc_c
@ -0,0 +1,107 @@
+$OpenBSD: patch-source_misc_c,v 1.1 2003/03/27 15:46:11 brad Exp $
+--- source/misc.c.orig	Mon Jan  8 01:24:22 2001
+++ source/misc.c	Wed Mar 26 23:00:45 2003
+@@ -3108,42 +3108,47 @@ char *cluster (char *hostname)
+ 	static char result[IRCD_BUFFER_SIZE/4 + 1];
+ 	char temphost[BIG_BUFFER_SIZE + 1];
+ 	char *host;
+	char *atsign;
+ 
+ 	if (!hostname)
+ 		return NULL;
+-	host = temphost;
+-	*result = 0;
+-	memset(result, 0, sizeof(result));
+-	memset(temphost, 0, sizeof(temphost));
+-	if (strchr(hostname, '@'))
+-	{
+-		if (*hostname == '~')
+-			hostname++;
+-		strcpy(result, hostname);
+-		*strchr(result, '@') = '\0';
+-		if (strlen(result) > 9)
+-		{
+-			result[8] = '*';
+-			result[9] = '\0';
+
+	atsign = strchr(hostname, '@');
+	if (atsign) {
+		if (*hostname == '~') {
+			strcpy(result, "~*@");
+		} else {
+			size_t ident_len = atsign - hostname;
+			
+			if (ident_len <= 9) {
+				/* copy ident@ */
+				strmcpy(result, hostname, ident_len + 1);
+			} else {
+				strmcpy(result, hostname, 8);
+				result[8] = '*';
+				result[9] = '@';
+				result[10] = '\0';
+			}
+ 		}
+-		strcat(result, "@");
+-		if (!(hostname = strchr(hostname, '@')))
+-			return NULL;
+-		hostname++;
+		hostname = atsign + 1;
+	} else {
+		*result = 0;
+ 	}
+-	strcpy(host, hostname);
+ 
+-	if (*host && isdigit(*(host + strlen(host) - 1)))
+	strlcpy(temphost, hostname, sizeof temphost);
+	host = temphost;
+
+	if (*host && isdigit((unsigned char)*(host + strlen(host) - 1)))
+ 	{
+ 		/* Thanks icebreak for this small patch which fixes this function */
+                 int i;
+                 char *tmp;
+-                char count=0;
+                char count = 0;
+ 
+                 tmp = host;
+-                while((tmp-host)<strlen(host))
+                while((tmp - host) < strlen(host))
+                 {
+-	                if((tmp=strchr(tmp,'.'))==NULL) 
+	                if((tmp = strchr(tmp,'.')) == NULL) 
+ 				break;
+         	        count++;
+                 	tmp++;
+@@ -3152,8 +3157,8 @@ char *cluster (char *hostname)
+                 for (i = 0; i < count; i++)
+                         tmp = strchr(tmp, '.') + 1;
+                 *tmp = '\0';
+-                strcat(result, host);
+-                strcat(result, "*");
+                strlcat(result, host, sizeof result);
+                strlcat(result, "*", sizeof result);
+ 	}
+ 	else
+ 	{
+@@ -3175,16 +3180,17 @@ char *cluster (char *hostname)
+ 			else
+ 				return (char *) NULL;
+ 		}
+		
+		/* We don't need strlcat for these first two, because
+		 * at this point the maximum length of the string in
+		 * result is 10 */
+ 		strcat(result, "*");
+ 		if (my_stricmp(host, temphost))
+ 			strcat(result, ".");
+-		strcat(result, host);
+		strlcat(result, host, sizeof result);
+ 	}
+ 	return result;
+ }
+-
+-
+-
+ 
+ struct _sock_manager
+ {
--- a/net/bitchx/patches/patch-source_names_c
+++ b/net/bitchx/patches/patch-source_names_c
@ -0,0 +1,21 @@
+$OpenBSD: patch-source_names_c,v 1.1 2003/03/27 15:46:11 brad Exp $
+--- source/names.c.orig	Mon Jan  8 01:24:22 2001
+++ source/names.c	Wed Mar 26 23:00:45 2003
+@@ -568,7 +568,7 @@ NickList	*tnl = NULL;
+ 
+    	*nmodes = 0;
+    	*nargs = 0;
+-	for (; *modes; modes++) 
+	for (; *modes && (strlen(nmodes) + 2) < sizeof nmodes; modes++) 
+ 	{
+ 		isbanned = isopped = isvoiced = 0;
+ 		switch (*modes) 
+@@ -738,7 +738,7 @@ NickList	*tnl = NULL;
+ 
+    /* modes which can be done multiple times are added here */
+ 
+-	for (tucm = ucm; tucm; tucm = tucm->next) 
+	for (tucm = ucm; tucm && (strlen(nmodes) + 2) < sizeof nmodes; tucm = tucm->next) 
+ 	{
+ 		if (tucm->o_ed) 
+ 		{
--- a/net/bitchx/patches/patch-source_notice_c
+++ b/net/bitchx/patches/patch-source_notice_c
@ -0,0 +1,12 @@
+$OpenBSD: patch-source_notice_c,v 1.1 2003/03/27 15:46:11 brad Exp $
+--- source/notice.c.orig	Mon Jan  8 01:24:22 2001
+++ source/notice.c	Wed Mar 26 23:00:45 2003
+@@ -421,7 +421,7 @@ irc.BitchX.com *** Notice -- Nick collis
+ 		int conn = !strncmp(line+7, "connect", 7) ? 1 : 0;
+ 		int dalnet = 0, ircnet = 0;
+ 
+-		if (*(line+18) == ':')
+		if (strlen(line) >= 19 && line[18] == ':')
+ 			q = NULL;
+ 		else
+ 			dalnet = (q == NULL);
--- a/net/bitchx/patches/patch-source_numbers_c
+++ b/net/bitchx/patches/patch-source_numbers_c
@ -1,7 +1,52 @@
-$OpenBSD: patch-source_numbers_c,v 1.1 2002/04/16 18:30:39 pvalchev Exp $
--- source/numbers.c.orig	Tue Apr 16 11:45:34 2002
-+++ source/numbers.c	Tue Apr 16 11:44:39 2002
-@@ -1454,7 +1454,7 @@ void numbered_command(char *from, int co
+$OpenBSD: patch-source_numbers_c,v 1.2 2003/03/27 15:46:11 brad Exp $
+--- source/numbers.c.orig	Mon Jan  8 01:24:22 2001
+++ source/numbers.c	Wed Mar 26 23:42:38 2003
+@@ -350,26 +350,29 @@ static	void cannot_join_channel(char *fr
+ 
+ 	set_display_target(chan, LOG_CURRENT);
+ 	PasteArgs(ArgList, 0);
+-	strcpy(buffer, ArgList[0]);
+	strlcpy(buffer, ArgList[0], sizeof buffer);
+ 	switch(-current_numeric)
+ 	{
+ 		case 437: 
+-			strcat(buffer, " (Channel is temporarily unavailable)");
+			strlcat(buffer, 
+				" (Channel is temporarily unavailable)",
+				sizeof buffer);
+ 			break;
+ 		case 471:
+-			strcat(buffer, " (Channel is full)");
+			strlcat(buffer, " (Channel is full)", sizeof buffer);
+ 			break;
+ 		case 473:
+-			strcat(buffer, " (You must be invited)");
+			strlcat(buffer, " (You must be invited)", 
+				sizeof buffer);
+ 			break;
+ 		case 474:
+-			strcat(buffer, " (You are banned)");
+			strlcat(buffer, " (You are banned)", sizeof buffer);
+ 			break;
+ 		case 475:
+-			strcat(buffer, " (Bad channel key)");
+			strlcat(buffer, " (Bad channel key)", sizeof buffer);
+ 			break;
+ 		case 476:
+-			strcat(buffer, " (Bad channel mask)");
+			strlcat(buffer, " (Bad channel mask)", sizeof buffer);
+ 			break;
+ 		default:
+ 			return;
+@@ -381,7 +384,6 @@ static	void cannot_join_channel(char *fr
+ 	reset_display_target();
+ }
+ 
+-
+ int handle_server_stats(char *from, char **ArgList, int comm)
+ {
+ static	int 	norm = 0, 
+@@ -1454,7 +1456,7 @@ void numbered_command(char *from, int co
 			
 			if (!ArgList[1] || !*ArgList[1])
 				break;
@ -10,7 +55,7 @@ $OpenBSD: patch-source_numbers_c,v 1.1 2002/04/16 18:30:39 pvalchev Exp $
 			strcpy(this_sucks, ctime(&tme));
 			this_sucks[strlen(this_sucks)-1] = '\0';		
 
-@@ -1465,16 +1465,16 @@ void numbered_command(char *from, int co
+@@ -1465,16 +1467,16 @@ void numbered_command(char *from, int co
 			else
 			{
 				char cts[80], pts[80], ots[80];