projects / irc / quakenet / snircd-patchqueue.git / blame
| Commit | Line | Data |
|---|---|---|
| edb26b39 P |
1 | # HG changeset patch |
| 2 | # Parent f2742ea6dd04e8f034c24b3dc40532fdfff6a842 | |
| 3 | ||
| 4 | diff -r f2742ea6dd04 ircd/whocmds.c | |
| 5 | --- a/ircd/whocmds.c Sun Jul 14 18:26:15 2013 +0100 | |
| 6 | +++ b/ircd/whocmds.c Sun Jul 14 18:26:35 2013 +0100 | |
| 7 | @@ -74,9 +74,14 @@ | |
| 8 | char *p1; | |
| 9 | struct Membership *chan = 0; | |
| 10 | ||
| 11 | - static char buf1[512]; | |
| 12 | + static char buf1[1024]; | |
| 13 | /* NOTE: with current fields list and sizes this _cannot_ overrun, | |
| 14 | and also the message finally sent shouldn't ever be truncated */ | |
| 15 | + /* NOTE2: HACK this has been doubled to 1024 as we're getting far too close... | |
| 16 | + ideally this would be rewritten but that's likely to introduce more bugs. | |
| 17 | + truncation is better than a buffer overflow exploit... | |
| 18 | + now we truncate to 512 manually at the end of the function, | |
| 19 | + I guess it's truncated in one of the functions in send_reply too... */ | |
| 20 | ||
| 21 | p1 = buf1; | |
| 22 | buf1[1] = '\0'; | |
| 23 | @@ -276,5 +281,8 @@ | |
| 24 | need to terminate buf1 */ | |
| 25 | *p1 = '\0'; | |
| 26 | p1 = buf1; | |
| 27 | + | |
| 28 | + buf1[511] = '\0'; | |
| 29 | + | |
| 30 | send_reply(sptr, fields ? RPL_WHOSPCRPL : RPL_WHOREPLY, ++p1); | |
| 31 | } |