Fix OOB write if a trusted linked server sends malicious data.

NOTE: Linked servers are considered trusted in UnrealIRCd.

This is not exploitable beyond a crash, due to -fstack-protector-all,
a hardening compiler flag we added many years ago. Even without
that flag it would be rather difficult, and i didn't manage to,
but this should never happen anyway since this flag is only
missing in gcc/clang versions that are more than 15 years old.

This issue was introduced by the move to CMD_BIGLINES in
6c5de62c18 in 6.2.2 release.

doc/RELEASE-NOTES.md

@@ -50,6 +50,7 @@ hardening and has quite a number of bug fixes.
 ### Fixes:
 * Crash when using [Extended Server Bans](https://www.unrealircd.org/docs/Extended_server_bans)
   with invalid syntax in the configuration file.
+* Crash on malicious server-to-server traffic (OOB write), bug introduced in 6.2.2.
 * Linking could cause splitting the wrong server when a duplicate link was detected.
 * Don't show confusing `CENTRAL_BLOCKLIST_TIMEOUT` message when user is shunned by CBL.
 * Various memory leaks were fixed. Mostly a couple of bytes on `REHASH` in

src/channel.c

@@ -298,8 +298,8 @@ int add_listmode_ex(Ban **list, Client *client, Channel *channel, const char *ba
 	}
 
 	/* Update/set if this ban is new or older than existing one */
-	safe_strdup(ban->banstr, banid); /* cAsE may differ, use oldest version of it */
-	safe_strdup(ban->who, setby);
+	safe_strldup(ban->banstr, banid, MAXBANLEN+1); /* cAsE may differ, use oldest version of it */
+	safe_strldup(ban->who, setby, NICKLEN+USERLEN+HOSTLEN+4);
 	ban->when = seton;
 	return isnew ? 1 : 0;
 }

src/modules/sjoin.c

@@ -377,6 +377,9 @@ CMD_FUNC(cmd_sjoin)
 			setby = p;
 			sjsby_info = 1;
 
+			if (strlen(setby) > NICKLEN + USERLEN + HOSTLEN + 3)
+				setby[NICKLEN + USERLEN + HOSTLEN + 3] = '\0';
+
 			tp = end; /* the remainder is used for the actual ban/exempt/invex */
 		}