Change send_umode() make sure the buffer isn't overflowed

diff --git a/include/h.h b/include/h.h
index c643feaf0733965a712d63b313286dcf6b353474..636487822911d8a0abf8be0bfe09303446630513 100644 (file)
--- a/include/h.h
+++ b/include/h.h
@@ -262,7 +262,7 @@ extern aClient       *next_client_double(aClient *, char *);
 
 extern int       m_umode(aClient *, aClient *, int, char **);
 extern int       m_names(aClient *, aClient *, int, char **);
-extern void      send_umode(aClient *, aClient *, int, int, char *);
+extern void      send_umode(aClient *, aClient *, long, long, char *, int);
 extern int       del_silence(aClient *, char *);
 
 

diff --git a/src/m_nick.c b/src/m_nick.c
index b3aba5337974b234306ba493fe1c040238b3420c..6c8c28c35b535b5502e62bbe76d38d82e1d17351 100644 (file)
--- a/src/m_nick.c
+++ b/src/m_nick.c
@@ -537,7 +537,7 @@ int m_nick(aClient *cptr, aClient *sptr, int parc, char *parv[])
 
                    oldumode = sptr->umode;
                    sptr->umode &= ~UMODE_r;
-                   send_umode(sptr, sptr, oldumode, ALL_UMODES, mbuf);
+                   send_umode(sptr, sptr, oldumode, ALL_UMODES, mbuf, sizeof(mbuf));
                }
 
                 /* LOCAL NICKHANGE */

diff --git a/src/m_server.c b/src/m_server.c
index 87f4f6d282268c7efbc54aa14599e873e2b00a4c..908c7ad4fc41f33a80a453f0e8fd9bfcf728ac75 100644 (file)
--- a/src/m_server.c
+++ b/src/m_server.c
@@ -47,7 +47,7 @@ static void sendnick_TS(aClient *cptr, aClient *acptr)
 
     if (IsPerson(acptr))
     {
-        send_umode(NULL, acptr, 0, SEND_UMODES, ubuf);
+        send_umode(NULL, acptr, 0, SEND_UMODES, ubuf, sizeof(ubuf));
         if (!*ubuf)     /* trivial optimization - Dianora */
         {
             ubuf[0] = '+';

diff --git a/src/m_services.c b/src/m_services.c
index 375729be4f4b9135290cdf35d40564c617e973d0..231ddcc6b7d97cad3ff581d201350144dccfe7c7 100644 (file)
--- a/src/m_services.c
+++ b/src/m_services.c
@@ -229,7 +229,7 @@ int m_svsnick(aClient *cptr, aClient *sptr, int parc, char *parv[])
        oldumode = acptr->umode;
        acptr->umode &= ~UMODE_r;
 
-        send_umode(acptr, acptr, oldumode, ALL_UMODES, mbuf);
+        send_umode(acptr, acptr, oldumode, ALL_UMODES, mbuf, sizeof(mbuf));
     }
 
     acptr->tsinfo = atoi(parv[3]);
@@ -460,7 +460,7 @@ int m_svsmode(aClient *cptr, aClient *sptr, int parc, char *parv[])
     if (MyClient(acptr) && (oldumode != acptr->umode))
     {
         char buf[BUFSIZE];
-        send_umode(acptr, acptr, oldumode, ALL_UMODES, buf);
+        send_umode(acptr, acptr, oldumode, ALL_UMODES, buf, sizeof(buf));
     }
 
     return 0;

diff --git a/src/s_user.c b/src/s_user.c
index ef83c711d200af809d75bbf61e153ba4116be8d1..b559983e288955402059c81dd895819db53dceef 100644 (file)
--- a/src/s_user.c
+++ b/src/s_user.c
@@ -1099,7 +1099,7 @@ register_user(aClient *cptr, aClient *sptr, char *nick, char *username,
             }
         }
     }
-    send_umode(NULL, sptr, 0, SEND_UMODES, ubuf);
+    send_umode(NULL, sptr, 0, SEND_UMODES, ubuf, sizeof(ubuf));
     if (!*ubuf)
     {
         ubuf[0] = '+';
@@ -1129,7 +1129,7 @@ register_user(aClient *cptr, aClient *sptr, char *nick, char *username,
 
         memset(sptr->passwd, '\0', PASSWDLEN);
         
-        if (ubuf[1]) send_umode(cptr, sptr, 0, ALL_UMODES, ubuf);
+        if (ubuf[1]) send_umode(cptr, sptr, 0, ALL_UMODES, ubuf, sizeof(ubuf));
 
         if(call_hooks(CHOOK_POSTMOTD, sptr) == FLUSH_BUFFER)
             return FLUSH_BUFFER;
@@ -2190,7 +2190,7 @@ m_whois(aClient *cptr, aClient *sptr, int parc, char *parv[])
         if(IsAdmin(sptr))
         {
             buf2[0]='\0';
-            send_umode(NULL, acptr, 0, ALL_UMODES, buf2);
+            send_umode(NULL, acptr, 0, ALL_UMODES, buf2, sizeof(buf2));
             if (!*buf2)
             {
                 buf2[0] = '+';
@@ -2881,7 +2881,7 @@ send_umode_out(aClient *cptr, aClient *sptr, int old)
     aClient *acptr;
     DLink *lp;
 
-    send_umode(NULL, sptr, old, SEND_UMODES, buf);
+    send_umode(NULL, sptr, old, SEND_UMODES, buf, sizeof(buf));
 
     if(*buf)
     {
@@ -2895,7 +2895,7 @@ send_umode_out(aClient *cptr, aClient *sptr, int old)
     }
 
     if (cptr && MyClient(cptr))
-        send_umode(cptr, sptr, old, ALL_UMODES, buf);
+        send_umode(cptr, sptr, old, ALL_UMODES, buf, sizeof(buf));
 }
 
 /*
@@ -3418,10 +3418,11 @@ m_umode(aClient *cptr, aClient *sptr, int parc, char *parv[])
 
 /* send the MODE string for user (user) to connection cptr -avalon */
 void 
-send_umode(aClient *cptr, aClient *sptr, int old, int sendmask, char *umode_buf)
+send_umode(aClient *cptr, aClient *sptr, long old, long sendmask, char *umode_buf, int bufsize)
 {
     int *s, flag, what = MODE_NULL;
     char *m;
+    int len;
 
     /*
      * build a string in umode_buf to represent the change in the user's
@@ -3429,6 +3430,8 @@ send_umode(aClient *cptr, aClient *sptr, int old, int sendmask, char *umode_buf)
      */
     m = umode_buf;
     *m = '\0';
+    len = 0;
+    bufsize--; /* To have enough space for the null termination char */
     for (s = user_modes; (flag = *s); s += 2)
     {
         if (MyClient(sptr) && !(flag & sendmask))
@@ -3436,23 +3439,35 @@ send_umode(aClient *cptr, aClient *sptr, int old, int sendmask, char *umode_buf)
         if ((flag & old) && !(sptr->umode & flag))
         {
             if (what == MODE_DEL)
+            {
+                if(len+1 > bufsize) break;
                 *m++ = *(s + 1);
+                len++;
+            }
             else
             {
+                if(len+2 > bufsize) break;
                 what = MODE_DEL;
                 *m++ = '-';
                 *m++ = *(s + 1);
+                len += 2;
             }
         }
         else if (!(flag & old) && (sptr->umode & flag))
         {
             if (what == MODE_ADD)
+            {
+                if(len+1 > bufsize) break;
                 *m++ = *(s + 1);
+                len++;
+            }
             else
             {
+                if(len+2 > bufsize) break;
                 what = MODE_ADD;
                 *m++ = '+';
                 *m++ = *(s + 1);
+                len += 2;
             }
         }
     }