mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-02 11:06:38 +02:00
717c9cbfa5
The OOB write did not happen on file-backed downloads, such as remote includes. It only happened for memory-backed requests, which are only these 4 in standard UnrealIRCd: centralblocklist, central spam report, other spamreport blocks (eg to dronebl) and the log block with destination webhook. All those 4 cases are very likely to be trusted web servers, given the nature of the data you are sending to them. The fix was to extend the size fields everywhere to 64 bits. It was applied to both URL backends: url_unreal.c and url_curl.c. The new API feature is a 'max_size' in OutgoingWebRequest, which defaults to 1MB. This is only used for memory-backed responses, so not for real file downloads. This fixes not only the reported bug but also the case where a rogue webserver was unbounded in terms of what response it could send back, potentially filling up gigabytes of server memory. Reported by Link420.