BitchX-security.patch

   1 diff -ru BitchX-old/source/banlist.c BitchX/source/banlist.c
   2 --- BitchX-old/source/banlist.c 2002-02-28 06:22:46.000000000 +0200
   3 +++ BitchX/source/banlist.c     2003-03-13 20:09:01.000000000 +0200
   4 @@ -277,30 +277,30 @@
   5                 case 7:
   6                         if (ip)
   7                         {
   8 -                               sprintf(banstr, "*!*@%s", cluster(ip));
   9 +                               snprintf(banstr, sizeof(banstr), "*!*@%s", cluster(ip));
  10                                 break;
  11                         }
  12                 case 2: /* Better       */
  13 -                       sprintf(banstr, "*!*%s@%s", t1, cluster(host));
  14 +                       snprintf(banstr, sizeof(banstr), "*!*%s@%s", t1, cluster(host));
  15                         break;
  16                 case 3: /* Host         */
  17 -                       sprintf(banstr, "*!*@%s", host);
  18 +                       snprintf(banstr, sizeof(banstr), "*!*@%s", host);
  19                         break;
  20                 case 4: /* Domain       */
  21 -                       sprintf(banstr, "*!*@*%s", strrchr(host, '.'));
  22 +                       snprintf(banstr, sizeof(banstr), "*!*@*%s", strrchr(host, '.'));
  23                         break;
  24                 case 5: /* User         */
  25 -                       sprintf(banstr, "*!%s@%s", t, cluster(host));
  26 +                       snprintf(banstr, sizeof(banstr), "*!%s@%s", t, cluster(host));
  27                         break;
  28                 case 6: /* Screw        */
  29                         malloc_sprintf(&tmpstr, "*!*%s@%s", t1, host);
  30 -                       strcpy(banstr, screw(tmpstr));
  31 +                       strmcpy(banstr, screw(tmpstr), sizeof(banstr)-1);
  32                         new_free(&tmpstr);
  33                         break;
  34                 case 1: /* Normal       */
  35                 default:
  36                 {
  37 -                       sprintf(banstr, "%s!*%s@%s", nick, t1, host);
  38 +                       snprintf(banstr, sizeof(banstr), "%s!*%s@%s", nick, t1, host);
  39                         break;
  40                 }
  41         }
  42 diff -ru BitchX-old/source/ctcp.c BitchX/source/ctcp.c
  43 --- BitchX-old/source/ctcp.c    2002-02-28 06:22:47.000000000 +0200
  44 +++ BitchX/source/ctcp.c        2003-03-13 19:59:35.000000000 +0200
  45 @@ -1482,6 +1482,7 @@
  46              *putbuf2;
  47         int len;
  48         len = IRCD_BUFFER_SIZE - (12 + strlen(to));
  49 +       if (len <= 2) return;
  50         putbuf2 = alloca(len);
  51
  52         if (format)
  53 diff -ru BitchX-old/source/misc.c BitchX/source/misc.c
  54 --- BitchX-old/source/misc.c    2002-03-24 11:31:07.000000000 +0200
  55 +++ BitchX/source/misc.c        2003-03-13 20:02:13.000000000 +0200
  56 @@ -3121,19 +3121,19 @@
  57         {
  58                 if (*hostname == '~')
  59                         hostname++;
  60 -               strcpy(result, hostname);
  61 +               strmcpy(result, hostname, sizeof(result)-1);
  62                 *strchr(result, '@') = '\0';
  63                 if (strlen(result) > 9)
  64                 {
  65                         result[8] = '*';
  66                         result[9] = '\0';
  67                 }
  68 -               strcat(result, "@");
  69 +               strmcat(result, "@", sizeof(result)-1);
  70                 if (!(hostname = strchr(hostname, '@')))
  71                         return NULL;
  72                 hostname++;
  73         }
  74 -       strcpy(host, hostname);
  75 +       strmcpy(host, hostname, sizeof(host)-1);
  76
  77         if (*host && isdigit(*(host + strlen(host) - 1)))
  78         {
  79 @@ -3154,8 +3154,8 @@
  80                  for (i = 0; i < count; i++)
  81                          tmp = strchr(tmp, '.') + 1;
  82                  *tmp = '\0';
  83 -                strcat(result, host);
  84 -                strcat(result, "*");
  85 +                strmcat(result, host, sizeof(result)-1);
  86 +                strmcat(result, "*", sizeof(result)-1);
  87         }
  88         else
  89         {
  90 @@ -3177,10 +3177,10 @@
  91                         else
  92                                 return (char *) NULL;
  93                 }
  94 -               strcat(result, "*");
  95 +               strmcat(result, "*", sizeof(result)-1);
  96                 if (my_stricmp(host, temphost))
  97 -                       strcat(result, ".");
  98 -               strcat(result, host);
  99 +                       strmcat(result, ".", sizeof(result)-1);
 100 +               strmcat(result, host, sizeof(result)-1);
 101         }
 102         return result;
 103  }
 104 diff -ru BitchX-old/source/names.c BitchX/source/names.c
 105 --- BitchX-old/source/names.c   2002-03-25 22:47:30.000000000 +0200
 106 +++ BitchX/source/names.c       2003-03-13 20:10:26.000000000 +0200
 107 @@ -572,7 +572,7 @@
 108
 109         *nmodes = 0;
 110         *nargs = 0;
 111 -       for (; *modes; modes++)
 112 +       for (; *modes && strlen(nmodes) < sizeof(nmodes)-2; modes++)
 113         {
 114                 isbanned = isopped = isvoiced = 0;
 115                 switch (*modes)
 116 @@ -742,7 +742,7 @@
 117
 118     /* modes which can be done multiple times are added here */
 119
 120 -       for (tucm = ucm; tucm; tucm = tucm->next)
 121 +       for (tucm = ucm; tucm && strlen(nmodes) < sizeof(nmodes)-2; tucm = tucm->next)
 122         {
 123                 if (tucm->o_ed)
 124                 {
 125 diff -ru BitchX-old/source/notice.c BitchX/source/notice.c
 126 --- BitchX-old/source/notice.c  2002-02-28 06:22:50.000000000 +0200
 127 +++ BitchX/source/notice.c      2003-03-13 20:07:39.000000000 +0200
 128 @@ -422,10 +422,10 @@
 129         {
 130                 char *q = strchr(line, ':');
 131                 char *port = empty_string;
 132 -               int conn = !strncmp(line+7, "connect", 7) ? 1 : 0;
 133 +               int conn = strlen(line) > 7 && !strncmp(line+7, "connect", 7) ? 1 : 0;
 134                 int dalnet = 0, ircnet = 0;
 135
 136 -               if (*(line+18) == ':')
 137 +               if (strlen(line) > 18 && *(line+18) == ':')
 138                         q = NULL;
 139                 else
 140                         dalnet = (q == NULL);
 141 @@ -462,7 +462,7 @@
 142                     else sscanf(p, "%s was %s from %s", for_, fr, temp);
 143
 144                     q = p;
 145 -                   sprintf(q, "%s@%s", fr, temp);
 146 +                   snprintf(q, strlen(q)+1, "%s@%s", fr, temp);
 147                     if (!conn)
 148                     {
 149                         port = strstr(temp2, "reason:");
 150 diff -ru BitchX-old/source/server.c BitchX/source/server.c
 151 --- BitchX-old/source/server.c  2002-03-25 07:21:24.000000000 +0200
 152 +++ BitchX/source/server.c      2003-03-13 20:10:00.000000000 +0200
 153 @@ -474,11 +474,11 @@
 154                                         }
 155                                         else
 156  #endif
 157 -                                               junk = dgets(bufptr, des, 1, BIG_BUFFER_SIZE, server_list[i].ssl_fd);
 158 +                                               junk = dgets(bufptr, des, 1, BIG_BUFFER_SIZE/2, server_list[i].ssl_fd);
 159                                 }
 160                                 else
 161  #endif
 162 -                                       junk = dgets(bufptr, des, 1, BIG_BUFFER_SIZE, NULL);
 163 +                                       junk = dgets(bufptr, des, 1, BIG_BUFFER_SIZE/2, NULL);
 164                         }
 165                         switch (junk)
 166                         {
 167 @@ -1741,7 +1741,7 @@
 168                         default:
 169                                 if (FD_ISSET(des, &rd))
 170                                 {
 171 -                                       if (!dgets(buffer, des, 0, BIG_BUFFER_SIZE, NULL))
 172 +                                       if (!dgets(buffer, des, 0, BIG_BUFFER_SIZE/2, NULL))
 173                                                 flushing = 0;
 174                                 }
 175                                 break;
 176 @@ -1751,7 +1751,7 @@
 177         FD_ZERO(&rd);
 178         FD_SET(des, &rd);
 179         if (new_select(&rd, NULL, &timeout) > 0)
 180 -               dgets(buffer, des, 1, BIG_BUFFER_SIZE, NULL);
 181 +               dgets(buffer, des, 1, BIG_BUFFER_SIZE/2, NULL);
 182  }