diff options
| author | Patrick Griffis <tingping@tingping.se> | 2018-03-02 20:48:54 -0500 |
|---|---|---|
| committer | Patrick Griffis <tingping@tingping.se> | 2018-03-02 20:56:54 -0500 |
| commit | 6e4fc09ce005db965523ef8930ea51ca429815a2 (patch) | |
| tree | d098954a4b366f44e1694f261e693333586661f1 /src | |
| parent | 8aa3b0326146840b7c01c4d353b5526c3e2a07f4 (diff) | |
Fix possible out of bounds read when being ctcp flooded
Note that this is unlikely to be triggerable by another user. Thanks to @dequis for discovering.
Diffstat (limited to 'src')
| -rw-r--r-- | src/common/ignore.c | 36 |
1 files changed, 15 insertions, 21 deletions
diff --git a/src/common/ignore.c b/src/common/ignore.c index 1d1eaf20..8bf0d57f 100644 --- a/src/common/ignore.c +++ b/src/common/ignore.c @@ -340,17 +340,6 @@ flood_autodialog_timeout (gpointer data) int flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ctcp 1=priv */ { - /* - serv - int ctcp_counter; - time_t ctcp_last_time; - prefs - unsigned int ctcp_number_limit; - unsigned int ctcp_time_limit; - */ - char buf[512]; - char real_ip[132]; - int i; time_t current_time; current_time = time (NULL); @@ -367,20 +356,24 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ct serv->ctcp_counter++; if (serv->ctcp_counter == prefs.hex_flood_ctcp_num) /*if we reached the maximun numbers of ctcp in the seconds limits */ { + char *mask, *message, *real_ip; + serv->ctcp_last_time = current_time; /*we got the flood, restore all the vars for next one */ serv->ctcp_counter = 0; - for (i = 0; i < 128; i++) - if (ip[i] == '@') - break; - g_snprintf (real_ip, sizeof (real_ip), "*!*%s", &ip[i]); - g_snprintf (buf, sizeof (buf), - _("You are being CTCP flooded from %s, ignoring %s\n"), - nick, real_ip); - PrintText (sess, buf); + real_ip = strchr (ip, '@'); + if (real_ip != NULL) + mask = g_strdup_printf ("*!*%s", real_ip); + else + mask = g_strdup_printf ("%s!*", nick); + + message = g_strdup_printf (_("You are being CTCP flooded from %s, ignoring %s\n"), nick, mask); + + PrintText (sess, message); + ignore_add (mask, IG_CTCP, FALSE); - /* ignore CTCP */ - ignore_add (real_ip, IG_CTCP, FALSE); + g_free (message); + g_free (mask); return 0; } } @@ -396,6 +389,7 @@ flood_check (char *nick, char *ip, server *serv, session *sess, int what) /*0=ct if (difftime (current_time, serv->msg_last_time) < prefs.hex_flood_msg_time) { + char buf[512]; serv->msg_counter++; if (serv->msg_counter == prefs.hex_flood_msg_num) /*if we reached the maximun numbers of ctcp in the seconds limits */ { |