Security fix (until maintainer commits proper update):

A buffer overflow vulnerability exists in ircd that allows a
remote attacker to  crash the ircd server, thus causing a denial
of service condition.
This commit is contained in:
margarida 2003-11-11 15:17:34 +00:00
parent f60aece3cd
commit cda0e2df62
2 changed files with 56 additions and 3 deletions

View File

@ -1,13 +1,13 @@
# $OpenBSD: Makefile,v 1.23 2003/05/12 18:02:44 sturm Exp $ # $OpenBSD: Makefile,v 1.24 2003/11/11 15:17:34 margarida Exp $
# $FreeBSD: Makefile,v 1.19 1998/12/09 20:15:29 billf Exp $ # $FreeBSD: Makefile,v 1.19 1998/12/09 20:15:29 billf Exp $
COMMENT= "internet relay chat (irc) server" COMMENT= "internet relay chat (irc) server"
DISTNAME= irc2.10.3p1 DISTNAME= irc2.10.3p1
PKGNAME= irc-2.10.3p1 PKGNAME= irc-2.10.3p1p1
CATEGORIES= net CATEGORIES= net
MASTER_SITES= ftp://ftp.irc.org/irc/server/ \ MASTER_SITES= ftp://ftp.irc.org/irc/server/Old/ \
ftp://ftp.ntua.gr/pub/net/irc/server/ ftp://ftp.ntua.gr/pub/net/irc/server/
EXTRACT_SUFX= .tgz EXTRACT_SUFX= .tgz

View File

@ -0,0 +1,53 @@
$OpenBSD: patch-ircd_channel_c,v 1.1 2003/11/11 15:17:34 margarida Exp $
--- ircd/channel.c.orig 2000-06-06 23:34:27.000000000 +0100
+++ ircd/channel.c 2003-11-09 00:03:46.000000000 +0000
@@ -1966,7 +1966,7 @@ char *parv[];
Reg Link *lp;
Reg aChannel *chptr;
Reg char *name, *key = NULL;
- int i, flags = 0;
+ int i, tmplen, flags = 0;
char *p = NULL, *p2 = NULL, *s, chop[5];
if (parc < 2 || *parv[1] == '\0')
@@ -2115,10 +2115,20 @@ char *parv[];
parv[0]), name);
continue;
}
+ tmplen = strlen(name);
+ if (i + tmplen + 2 /* comma and \0 */
+ >= sizeof(jbuf) )
+ {
+
+ break;
+
+ }
if (*jbuf)
- (void)strcat(jbuf, ",");
- (void)strncat(jbuf, name, sizeof(jbuf) - i - 1);
- i += strlen(name)+1;
+ {
+ jbuf[i++] = ',';
+ }
+ (void)strcpy(jbuf + i, name);
+ i += tmplen;
}
p = NULL;
@@ -2270,6 +2280,16 @@ char *parv[];
parv[0], name, chop);
else if (*chptr->chname != '&')
{
+ /* ":" (1) "nick" (NICKLEN) " JOIN :" (7), comma (1)
+ ** possible chop (4), ending \r\n\0 (3) = 16
+ ** must fit in the cbuf as well! --B. */
+ if (strlen(cbuf) + strlen(name) + NICKLEN + 16
+ >= sizeof(cbuf))
+ {
+ sendto_serv_butone(cptr, ":%s JOIN :%s",
+ parv[0], cbuf);
+ cbuf[0] = '\0';
+ }
if (*cbuf)
strcat(cbuf, ",");
strcat(cbuf, name);