From 606a35bed00eb4e0f8d105e6eaaeaad7f25042b9 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Fri, 8 May 2020 14:58:49 +0200 Subject: [PATCH] Fix crash when using deny link::rule with oversized argument. Reported by moody in https://bugs.unrealircd.org/view.php?id=5667 --- src/crule.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/crule.c b/src/crule.c index 12b2c5ea9..faa9e6a2a 100644 --- a/src/crule.c +++ b/src/crule.c @@ -306,7 +306,7 @@ int crule_gettoken(int *next_tokp, char **ruleptr) void crule_getword(char *word, int *wordlenp, int maxlen, char **ruleptr) { - char *word_ptr; + char *word_ptr, c; word_ptr = word; /* Both - and : can appear in hostnames so they must not be @@ -315,8 +315,16 @@ void crule_getword(char *word, int *wordlenp, int maxlen, char **ruleptr) while ((isalnum(**ruleptr)) || (**ruleptr == '*') || (**ruleptr == '?') || (**ruleptr == '.') || (**ruleptr == '-') || (**ruleptr == ':')) - *word_ptr++ = *(*ruleptr)++; - *word_ptr = '\0'; + { + c = *(*ruleptr)++; + if (maxlen > 1) /* >1 instead of >0 so we (possibly) still have room for NUL */ + { + *word_ptr++ = c; + maxlen--; + } + } + if (maxlen) + *word_ptr = '\0'; *wordlenp = word_ptr - word; }