mirror of
https://github.com/weechat/weechat.git
synced 2026-07-03 16:23:14 +02:00
irc: limit size of data received from the server to prevent memory exhaustion
A malicious or compromised IRC server could send data with no end-of-line (or a flood of "005" messages), making WeeChat accumulate it in a buffer that grew without limit, until all memory was exhausted. The unterminated received message and the accumulated "005" (ISUPPORT) data are now bounded by IRC_SERVER_RECV_MSG_MAX_LENGTH and IRC_SERVER_ISUPPORT_MAX_LENGTH: extra data is ignored once the limit is reached.
This commit is contained in:
@@ -3409,6 +3409,14 @@ irc_server_msgq_add_unterminated (struct t_irc_server *server,
|
||||
|
||||
if (server->unterminated_message)
|
||||
{
|
||||
/*
|
||||
* limit the size of the unterminated message: once the maximum is
|
||||
* reached, ignore the extra data (protection against a server sending
|
||||
* a very long line without end-of-line, which would consume all the
|
||||
* memory)
|
||||
*/
|
||||
if (strlen (server->unterminated_message) >= IRC_SERVER_RECV_MSG_MAX_LENGTH)
|
||||
return;
|
||||
unterminated_message2 =
|
||||
realloc (server->unterminated_message,
|
||||
(strlen (server->unterminated_message) +
|
||||
|
||||
Reference in New Issue
Block a user