diff options
author | Joseph Bisch <joseph.bisch@gmail.com> | 2017-09-18 21:40:57 -0400 |
---|---|---|
committer | TingPing <tingping@tingping.se> | 2017-09-18 22:01:48 -0400 |
commit | f4a592c4f0364d35068bca9f2634946750340356 (patch) | |
tree | db6e2996b8fc025a77ea9e1740aa07f0a3868061 | |
parent | a388d0c553f495719204662515945b4c6e0cbdad (diff) |
Fix oob read caused by ptr[0] being NULL in inbound_notice
If ptr[0] is NULL, then strchr may return a pointer to the NULL terminator for serv->nick_prefixes, making the if statement true, which then leads to the pointer increment leaving ptr oob. Now we check to ensure ptr[0] != NULL. From the Linux manpages for strchr: The terminating null byte is considered part of the string, so that if c is specified as '\0', these functions return a pointer to the terminator.
-rw-r--r-- | src/common/inbound.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/common/inbound.c b/src/common/inbound.c index fae0fd34..86442fa8 100644 --- a/src/common/inbound.c +++ b/src/common/inbound.c @@ -940,7 +940,7 @@ inbound_notice (server *serv, char *to, char *nick, char *msg, char *ip, int id, sess = find_channel (serv, ptr); /* /notice [mode-prefix]#channel should end up in that channel */ - if (!sess && strchr(serv->nick_prefixes, ptr[0]) != NULL) + if (!sess && ptr[0] && strchr(serv->nick_prefixes, ptr[0]) != NULL) { ptr++; sess = find_channel (serv, ptr); |