diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d5c97826..9fc04ab88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - relay: limit size of partial message received while reading an HTTP request to prevent memory exhaustion - relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc), [CVE-2026-53525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53525)) - relay: fix out-of-bounds read in dump of data ([#2324](https://github.com/weechat/weechat/issues/2324)) +- relay/api: fix memory leak in resources "handshake", "input" and "completion" - api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc), [CVE-2026-53525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53525)) - xfer: replace directory separator in remote nick by underscore in download filename to prevent writing the file outside the download directory ([#2321](https://github.com/weechat/weechat/issues/2321)) - xfer: fix out-of-bounds read when receiving empty line in DCC chat ([#2323](https://github.com/weechat/weechat/issues/2323)) diff --git a/src/plugins/relay/api/relay-api-protocol.c b/src/plugins/relay/api/relay-api-protocol.c index 120c3155b..7a71f68c4 100644 --- a/src/plugins/relay/api/relay-api-protocol.c +++ b/src/plugins/relay/api/relay-api-protocol.c @@ -402,7 +402,10 @@ RELAY_API_PROTOCOL_CALLBACK(handshake) if (json_body) { if (!cJSON_IsObject (json_body)) + { + cJSON_Delete (json_body); return RELAY_API_PROTOCOL_RC_BAD_REQUEST; + } json_algos = cJSON_GetObjectItem (json_body, "password_hash_algo"); if (json_algos) { @@ -839,8 +842,13 @@ RELAY_API_PROTOCOL_CALLBACK(input) char str_delay[32]; json_body = cJSON_Parse (client->http_req->body); - if (!json_body || !cJSON_IsObject (json_body)) + if (!json_body) return RELAY_API_PROTOCOL_RC_BAD_REQUEST; + if (!cJSON_IsObject (json_body)) + { + cJSON_Delete (json_body); + return RELAY_API_PROTOCOL_RC_BAD_REQUEST; + } /* get buffer either by name or by id */ ptr_buffer = NULL; @@ -966,8 +974,13 @@ RELAY_API_PROTOCOL_CALLBACK(completion) struct t_gui_buffer *ptr_buffer; json_body = cJSON_Parse (client->http_req->body); - if (!json_body || !cJSON_IsObject(json_body)) + if (!json_body) return RELAY_API_PROTOCOL_RC_BAD_REQUEST; + if (!cJSON_IsObject(json_body)) + { + cJSON_Delete (json_body); + return RELAY_API_PROTOCOL_RC_BAD_REQUEST; + } /* get buffer either by name or by id */ ptr_buffer = NULL;