summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorJoseph Bisch <joseph.bisch@gmail.com>2017-09-18 21:40:57 -0400
committerTingPing <tingping@tingping.se>2017-09-18 22:01:48 -0400
commitf4a592c4f0364d35068bca9f2634946750340356 (patch)
treedb6e2996b8fc025a77ea9e1740aa07f0a3868061
parenta388d0c553f495719204662515945b4c6e0cbdad (diff)
Fix oob read caused by ptr[0] being NULL in inbound_notice
If ptr[0] is NULL, then strchr may return a pointer to the NULL
terminator for serv->nick_prefixes, making the if statement true, which
then leads to the pointer increment leaving ptr oob. Now we check to
ensure ptr[0] != NULL.

From the Linux manpages for strchr:
The terminating null byte is considered part of the string, so that if c is
       specified as '\0', these functions return a pointer to the terminator.
-rw-r--r--src/common/inbound.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/common/inbound.c b/src/common/inbound.c
index fae0fd34..86442fa8 100644
--- a/src/common/inbound.c
+++ b/src/common/inbound.c
@@ -940,7 +940,7 @@ inbound_notice (server *serv, char *to, char *nick, char *msg, char *ip, int id,
 		sess = find_channel (serv, ptr);
 
 	/* /notice [mode-prefix]#channel should end up in that channel */
-	if (!sess && strchr(serv->nick_prefixes, ptr[0]) != NULL)
+	if (!sess && ptr[0] && strchr(serv->nick_prefixes, ptr[0]) != NULL)
 	{
 		ptr++;
 		sess = find_channel (serv, ptr);