bufferextend.patch

   1 # HG changeset patch
   2 # Parent f2742ea6dd04e8f034c24b3dc40532fdfff6a842
   3
   4 diff -r f2742ea6dd04 ircd/whocmds.c
   5 --- a/ircd/whocmds.c    Sun Jul 14 18:26:15 2013 +0100
   6 +++ b/ircd/whocmds.c    Sun Jul 14 18:26:35 2013 +0100
   7 @@ -74,9 +74,14 @@
   8    char *p1;
   9    struct Membership *chan = 0;
  10
  11 -  static char buf1[512];
  12 +  static char buf1[1024];
  13    /* NOTE: with current fields list and sizes this _cannot_ overrun,
  14       and also the message finally sent shouldn't ever be truncated */
  15 +  /* NOTE2: HACK this has been doubled to 1024 as we're getting far too close...
  16 +     ideally this would be rewritten but that's likely to introduce more bugs.
  17 +     truncation is better than a buffer overflow exploit...
  18 +     now we truncate to 512 manually at the end of the function,
  19 +     I guess it's truncated in one of the functions in send_reply too... */
  20
  21    p1 = buf1;
  22    buf1[1] = '\0';
  23 @@ -276,5 +281,8 @@
  24       need to terminate buf1 */
  25    *p1 = '\0';
  26    p1 = buf1;
  27 +
  28 +  buf1[511] = '\0';
  29 +
  30    send_reply(sptr, fields ? RPL_WHOSPCRPL : RPL_WHOREPLY, ++p1);
  31  }