1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From 30a92754bb650c3dedd507d41110443142899a65 Mon Sep 17 00:00:00 2001
From: Joseph Bisch <joseph.bisch@gmail.com>
Date: Mon, 29 May 2017 14:43:24 -0400
Subject: [PATCH 1/2] Fix oob read of one byte in
get_file_params_count{,_resume}
We can use continue to handle cases such as:
"ab<space><space>c"
---
src/irc/dcc/dcc-get.c | 2 ++
src/irc/dcc/dcc-resume.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/irc/dcc/dcc-get.c b/src/irc/dcc/dcc-get.c
index 73c1b8648..eff516dbc 100644
--- a/src/irc/dcc/dcc-get.c
+++ b/src/irc/dcc/dcc-get.c
@@ -382,6 +382,8 @@ int get_file_params_count(char **params, int paramcount)
if (*params[0] == '"') {
/* quoted file name? */
for (pos = 0; pos < paramcount-3; pos++) {
+ if (strlen(params[pos]) == 0)
+ continue;
if (params[pos][strlen(params[pos])-1] == '"' &&
get_params_match(params, pos+1))
return pos+1;
diff --git a/src/irc/dcc/dcc-resume.c b/src/irc/dcc/dcc-resume.c
index 36f84ddfd..ce0ac9251 100644
--- a/src/irc/dcc/dcc-resume.c
+++ b/src/irc/dcc/dcc-resume.c
@@ -62,6 +62,8 @@ int get_file_params_count_resume(char **params, int paramcount)
if (*params[0] == '"') {
/* quoted file name? */
for (pos = 0; pos < paramcount-2; pos++) {
+ if (strlen(params[pos]) == 0)
+ continue;
if (params[pos][strlen(params[pos])-1] == '"' &&
get_params_match_resume(params, pos+1))
return pos+1;
From 528f51bfbe5c65c5b24546faa244009dd5b3c586 Mon Sep 17 00:00:00 2001
From: Joseph Bisch <joseph.bisch@gmail.com>
Date: Wed, 17 May 2017 10:08:51 -0400
Subject: [PATCH 2/2] Fix dcc_request where addr is NULL
---
src/irc/dcc/dcc-get.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/irc/dcc/dcc-get.c b/src/irc/dcc/dcc-get.c
index 73c1b8648..982940995 100644
--- a/src/irc/dcc/dcc-get.c
+++ b/src/irc/dcc/dcc-get.c
@@ -428,6 +428,10 @@ static void ctcp_msg_dcc_send(IRC_SERVER_REC *server, const char *data,
int p_id = -1;
int passive = FALSE;
+ if (addr == NULL) {
+ addr = "";
+ }
+
/* SEND <file name> <address> <port> <size> [...] */
/* SEND <file name> <address> 0 <size> <id> (DCC SEND passive protocol) */
params = g_strsplit(data, " ", -1);
|
