From 9cb68b13a94175b6fc64a9d9f20b2b923a1c0b09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sat, 10 Sep 2022 13:42:35 +0200 Subject: [PATCH] irc: replace chars "\01" by spaces in CTCP replies (closes #1819) This prevents any attack due to an external security issue in the Linux netfilter implementation (nf_conntrack_irc). See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663 --- ChangeLog.adoc | 1 + src/plugins/irc/irc-ctcp.c | 115 ++++++++++++++++++++++--------------- 2 files changed, 69 insertions(+), 47 deletions(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 32f2e9d38..a434a2a58 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -40,6 +40,7 @@ Bug fixes:: * irc: fix extract of isupport value when it is last in list and without value (issue #1807) * irc: fix target buffer of generic errors when they contain a target nick (issue #1814) * irc: fix display of message 350 (whois, gateway) (issue #1815) + * irc: replace chars "\01" by spaces in CTCP replies (issue #1819) * guile: fix function hdata_get_string * javascript: fix return of long value in functions infolist_time, hdata_long and hdata_time * php: fix function hdata_compare diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c index 23323d017..2faab81e3 100644 --- a/src/plugins/irc/irc-ctcp.c +++ b/src/plugins/irc/irc-ctcp.c @@ -270,15 +270,32 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server, { struct t_hashtable *hashtable; int number; - char hash_key[32]; + char hash_key[32], *str_args_color, *dup_ctcp, *dup_args; const char *str_args; - char *str_args_color, *ctcp_upper; - ctcp_upper = strdup (ctcp); - if (!ctcp_upper) - return; + dup_ctcp = NULL; + dup_args = NULL; + hashtable = NULL; - weechat_string_toupper (ctcp_upper); + /* + * replace any "\01" by a space to prevent any firewall attack via + * nf_conntrack_irc (CVE-2022-2663) + */ + dup_ctcp = weechat_string_replace (ctcp, "\01", " "); + if (!dup_ctcp) + goto end; + weechat_string_toupper (dup_ctcp); + + if (arguments) + { + /* + * replace any "\01" by a space to prevent any firewall attack via + * nf_conntrack_irc (CVE-2022-2663) + */ + dup_args = weechat_string_replace (arguments, "\01", " "); + if (!dup_args) + goto end; + } hashtable = irc_server_sendf ( server, @@ -286,53 +303,57 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server, NULL, "NOTICE %s :\01%s%s%s\01", nick, - ctcp_upper, - (arguments) ? " " : "", - (arguments) ? arguments : ""); + dup_ctcp, + (dup_args) ? " " : "", + (dup_args) ? dup_args : ""); + if (!hashtable) + goto end; - if (hashtable) + if (weechat_config_boolean (irc_config_look_display_ctcp_reply)) { - if (weechat_config_boolean (irc_config_look_display_ctcp_reply)) + number = 1; + while (1) { - number = 1; - while (1) - { - snprintf (hash_key, sizeof (hash_key), "args%d", number); - str_args = weechat_hashtable_get (hashtable, hash_key); - if (!str_args) - break; - str_args_color = irc_color_decode (str_args, 1); - if (!str_args_color) - break; - weechat_printf_date_tags ( - irc_msgbuffer_get_target_buffer ( - server, nick, NULL, "ctcp", - (channel) ? channel->buffer : NULL), - 0, - irc_protocol_tags ( - command, - tags, - "irc_ctcp,irc_ctcp_reply,self_msg,notify_none," - "no_highlight", - NULL, NULL), - _("%sCTCP reply to %s%s%s: %s%s%s%s%s"), - weechat_prefix ("network"), - irc_nick_color_for_msg (server, 0, NULL, nick), - nick, - IRC_COLOR_RESET, - IRC_COLOR_CHAT_CHANNEL, - ctcp_upper, - (str_args_color[0]) ? IRC_COLOR_RESET : "", - (str_args_color[0]) ? " " : "", - str_args_color); - free (str_args_color); - number++; - } + snprintf (hash_key, sizeof (hash_key), "args%d", number); + str_args = weechat_hashtable_get (hashtable, hash_key); + if (!str_args) + break; + str_args_color = irc_color_decode (str_args, 1); + if (!str_args_color) + break; + weechat_printf_date_tags ( + irc_msgbuffer_get_target_buffer ( + server, nick, NULL, "ctcp", + (channel) ? channel->buffer : NULL), + 0, + irc_protocol_tags ( + command, + tags, + "irc_ctcp,irc_ctcp_reply,self_msg,notify_none," + "no_highlight", + NULL, NULL), + _("%sCTCP reply to %s%s%s: %s%s%s%s%s"), + weechat_prefix ("network"), + irc_nick_color_for_msg (server, 0, NULL, nick), + nick, + IRC_COLOR_RESET, + IRC_COLOR_CHAT_CHANNEL, + dup_ctcp, + (str_args_color[0]) ? IRC_COLOR_RESET : "", + (str_args_color[0]) ? " " : "", + str_args_color); + free (str_args_color); + number++; } - weechat_hashtable_free (hashtable); } - free (ctcp_upper); +end: + if (dup_ctcp) + free (dup_ctcp); + if (dup_args) + free (dup_args); + if (hashtable) + weechat_hashtable_free (hashtable); } /*