From f4a592c4f0364d35068bca9f2634946750340356 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Mon, 18 Sep 2017 21:40:57 -0400 Subject: Fix oob read caused by ptr[0] being NULL in inbound_notice If ptr[0] is NULL, then strchr may return a pointer to the NULL terminator for serv->nick_prefixes, making the if statement true, which then leads to the pointer increment leaving ptr oob. Now we check to ensure ptr[0] != NULL. From the Linux manpages for strchr: The terminating null byte is considered part of the string, so that if c is specified as '\0', these functions return a pointer to the terminator. --- src/common/inbound.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/common') diff --git a/src/common/inbound.c b/src/common/inbound.c index fae0fd34..86442fa8 100644 --- a/src/common/inbound.c +++ b/src/common/inbound.c @@ -940,7 +940,7 @@ inbound_notice (server *serv, char *to, char *nick, char *msg, char *ip, int id, sess = find_channel (serv, ptr); /* /notice [mode-prefix]#channel should end up in that channel */ - if (!sess && strchr(serv->nick_prefixes, ptr[0]) != NULL) + if (!sess && ptr[0] && strchr(serv->nick_prefixes, ptr[0]) != NULL) { ptr++; sess = find_channel (serv, ptr); -- cgit 1.4.1