From 51a739df615f8ec66fbe1e9682ec3c3218254ad7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Fri, 14 Feb 2020 08:08:23 +0100 Subject: [PATCH] irc: fix crash when receiving a malformed message 324 (channel mode) (CVE-2020-8955) Thanks to Stuart Nevans Locke for reporting the issue. --- ChangeLog.adoc | 7 +++++++ src/plugins/irc/irc-mode.c | 21 ++++++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 8caea703e..c33ee80ac 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes] (file _ReleaseNotes.adoc_ in sources). +[[v2.7.1]] +== Version 2.7.1 (under dev) + +Bug fixes:: + + * irc: fix crash when receiving a malformed message 324 (channel mode) (CVE-2020-8955) + [[v2.7]] == Version 2.7 (2019-12-08) diff --git a/src/plugins/irc/irc-mode.c b/src/plugins/irc/irc-mode.c index d6c749168..55e0b612a 100644 --- a/src/plugins/irc/irc-mode.c +++ b/src/plugins/irc/irc-mode.c @@ -224,17 +224,20 @@ irc_mode_channel_update (struct t_irc_server *server, current_arg++; if (pos[0] == chanmode) { - chanmode_found = 1; - if (set_flag == '+') + if (!chanmode_found) { - str_mode[0] = pos[0]; - str_mode[1] = '\0'; - strcat (new_modes, str_mode); - if (argument) + chanmode_found = 1; + if (set_flag == '+') { - if (new_args[0]) - strcat (new_args, " "); - strcat (new_args, argument); + str_mode[0] = pos[0]; + str_mode[1] = '\0'; + strcat (new_modes, str_mode); + if (argument) + { + if (new_args[0]) + strcat (new_args, " "); + strcat (new_args, argument); + } } } }