From: Simon Arlott Date: Sat, 6 Feb 2016 15:50:17 +0000 (+0000) Subject: ircd: chmode: Avoid referencing beyond the end of the flags_list array in set_channel... X-Git-Url: https://jfr.im/git/solanum.git/commitdiff_plain/87c44482d0e859759813ad232227623cc9a5384b?hp=41aed6bbf74bce4689042fc89cd5324678ae92ee ircd: chmode: Avoid referencing beyond the end of the flags_list array in set_channel_mode We're setting flags to flags_list[3] at the end of the loop, but the array only has 3 elements. Unless the compiler optimises this away (because flags will not be used again) we're accessing memory beyond the end of the array. With gcc-4.9: chmode.c: In function 'set_channel_mode': chmode.c:1548:54: warning: iteration 2u invokes undefined behavior [-Waggressive-loop-optimizations] for(j = 0, flags = flags_list[0]; j < 3; j++, flags = flags_list[j]) ^ chmode.c:1548:2: note: containing loop for(j = 0, flags = flags_list[0]; j < 3; j++, flags = flags_list[j]) Explicitly set "flags = flags_list[j]" at the start of each loop iteration, which will avoid referencing off the end of the array. --- diff --git a/ircd/chmode.c b/ircd/chmode.c index f1c32b6d..4759d318 100644 --- a/ircd/chmode.c +++ b/ircd/chmode.c @@ -1747,8 +1747,9 @@ set_channel_mode(struct Client *client_p, struct Client *source_p, source_p->name, source_p->username, source_p->host, chptr->chname); - for(j = 0, flags = flags_list[0]; j < 3; j++, flags = flags_list[j]) + for(j = 0; j < 3; j++) { + flags = flags_list[j]; cur_len = mlen; mbuf = modebuf + mlen; pbuf = parabuf;