summary refs log tree commit diff stats
path: root/src
diff options
context:
space:
mode:
authorPatrick Griffis <tingping@tingping.se>2018-03-02 20:48:54 -0500
committerPatrick Griffis <tingping@tingping.se>2018-03-02 20:56:54 -0500
commit6e4fc09ce005db965523ef8930ea51ca429815a2 (patch)
treed098954a4b366f44e1694f261e693333586661f1 /src
parent8aa3b0326146840b7c01c4d353b5526c3e2a07f4 (diff)
Fix possible out of bounds read when being ctcp flooded
Note that this is unlikely to be triggerable by another user.

Thanks to @dequis for discovering.
Diffstat (limited to 'src')
-rw-r--r--src/common/ignore.c36
1 files changed, 15 insertions, 21 deletions
diff --git a/src/common/ignore.c b/src/common/ignore.c
index 1d1eaf20..8bf0d57f 100644
--- a/src/common/ignore.c
+++ b/src/common/ignore.c
@@ -340,17 +340,6 @@ flood_autodialog_timeout (gpointer data)
 int
 flood_check (char *nick, char *ip, server *serv, session *sess, int what)	/*0=ctcp  1=priv */
 {
-	/*
-	   serv
-	   int ctcp_counter; 
-	   time_t ctcp_last_time;
-	   prefs
-	   unsigned int ctcp_number_limit;
-	   unsigned int ctcp_time_limit;
-	 */
-	char buf[512];
-	char real_ip[132];
-	int i;
 	time_t current_time;
 	current_time = time (NULL);
 
@@ -367,20 +356,24 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what)	/*0=ct
 				serv->ctcp_counter++;
 				if (serv->ctcp_counter == prefs.hex_flood_ctcp_num)	/*if we reached the maximun numbers of ctcp in the seconds limits */
 				{
+					char *mask, *message, *real_ip;
+
 					serv->ctcp_last_time = current_time;	/*we got the flood, restore all the vars for next one */
 					serv->ctcp_counter = 0;
-					for (i = 0; i < 128; i++)
-						if (ip[i] == '@')
-							break;
-					g_snprintf (real_ip, sizeof (real_ip), "*!*%s", &ip[i]);
 
-					g_snprintf (buf, sizeof (buf),
-								 _("You are being CTCP flooded from %s, ignoring %s\n"),
-								 nick, real_ip);
-					PrintText (sess, buf);
+					real_ip = strchr (ip, '@');
+					if (real_ip != NULL)
+						mask = g_strdup_printf ("*!*%s", real_ip);
+					else
+						mask = g_strdup_printf ("%s!*", nick);
+
+					message = g_strdup_printf (_("You are being CTCP flooded from %s, ignoring %s\n"), nick, mask);
+
+					PrintText (sess, message);
+					ignore_add (mask, IG_CTCP, FALSE);
 
-					/* ignore CTCP */
-					ignore_add (real_ip, IG_CTCP, FALSE);
+					g_free (message);
+					g_free (mask);
 					return 0;
 				}
 			}
@@ -396,6 +389,7 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what)	/*0=ct
 			if (difftime (current_time, serv->msg_last_time) <
 				 prefs.hex_flood_msg_time)
 			{
+				char buf[512];
 				serv->msg_counter++;
 				if (serv->msg_counter == prefs.hex_flood_msg_num)	/*if we reached the maximun numbers of ctcp in the seconds limits */
 				{