]>
Commit | Line | Data |
---|---|---|
edb26b39 P |
1 | # HG changeset patch |
2 | # Parent f2742ea6dd04e8f034c24b3dc40532fdfff6a842 | |
3 | ||
4 | diff -r f2742ea6dd04 ircd/whocmds.c | |
5 | --- a/ircd/whocmds.c Sun Jul 14 18:26:15 2013 +0100 | |
6 | +++ b/ircd/whocmds.c Sun Jul 14 18:26:35 2013 +0100 | |
7 | @@ -74,9 +74,14 @@ | |
8 | char *p1; | |
9 | struct Membership *chan = 0; | |
10 | ||
11 | - static char buf1[512]; | |
12 | + static char buf1[1024]; | |
13 | /* NOTE: with current fields list and sizes this _cannot_ overrun, | |
14 | and also the message finally sent shouldn't ever be truncated */ | |
15 | + /* NOTE2: HACK this has been doubled to 1024 as we're getting far too close... | |
16 | + ideally this would be rewritten but that's likely to introduce more bugs. | |
17 | + truncation is better than a buffer overflow exploit... | |
18 | + now we truncate to 512 manually at the end of the function, | |
19 | + I guess it's truncated in one of the functions in send_reply too... */ | |
20 | ||
21 | p1 = buf1; | |
22 | buf1[1] = '\0'; | |
23 | @@ -276,5 +281,8 @@ | |
24 | need to terminate buf1 */ | |
25 | *p1 = '\0'; | |
26 | p1 = buf1; | |
27 | + | |
28 | + buf1[511] = '\0'; | |
29 | + | |
30 | send_reply(sptr, fields ? RPL_WHOSPCRPL : RPL_WHOREPLY, ++p1); | |
31 | } |