irc: limit size of data received from the server to prevent memory exhaustion

A malicious or compromised IRC server could send data with no end-of-line (or a flood of "005" messages), making WeeChat accumulate it in a buffer that grew without limit, until all memory was exhausted. The unterminated received message and the accumulated "005" (ISUPPORT) data are now bounded by IRC_SERVER_RECV_MSG_MAX_LENGTH and IRC_SERVER_ISUPPORT_MAX_LENGTH: extra data is ignored once the limit is reached.
2026-06-25 12:26:40 +02:00 · 2026-06-01 21:53:03 +02:00
parent f5fa814fa4
commit e5df225d9f
6 changed files with 117 additions and 9 deletions
@@ -4143,16 +4143,25 @@ IRC_PROTOCOL_CALLBACK(005)
        if (ctxt->server->isupport)
        {
            length_isupport = strlen (ctxt->server->isupport);
-            isupport2 = realloc (ctxt->server->isupport,
-                                 length_isupport +  /* existing */
-                                 1 +  /* space */
-                                 length +  /* new */
-                                 1);
-            if (isupport2)
+            /*
+             * limit the size of the accumulated ISUPPORT data: once the
+             * maximum is reached, ignore the extra data (protection against a
+             * server flooding "005" messages, which would consume all the
+             * memory)
+             */
+            if (length_isupport + 1 + length < IRC_SERVER_ISUPPORT_MAX_LENGTH)
            {
-                ctxt->server->isupport = isupport2;
-                strcat (ctxt->server->isupport, " ");
-                strcat (ctxt->server->isupport, str_info);
+                isupport2 = realloc (ctxt->server->isupport,
+                                     length_isupport +  /* existing */
+                                     1 +  /* space */
+                                     length +  /* new */
+                                     1);
+                if (isupport2)
+                {
+                    ctxt->server->isupport = isupport2;
+                    strcat (ctxt->server->isupport, " ");
+                    strcat (ctxt->server->isupport, str_info);
+                }
            }
        }
        else
@@ -3409,6 +3409,14 @@ irc_server_msgq_add_unterminated (struct t_irc_server *server,

    if (server->unterminated_message)
    {
+        /*
+         * limit the size of the unterminated message: once the maximum is
+         * reached, ignore the extra data (protection against a server sending
+         * a very long line without end-of-line, which would consume all the
+         * memory)
+         */
+        if (strlen (server->unterminated_message) >= IRC_SERVER_RECV_MSG_MAX_LENGTH)
+            return;
        unterminated_message2 =
            realloc (server->unterminated_message,
                     (strlen (server->unterminated_message) +
@@ -142,6 +142,15 @@ enum t_irc_server_option
 #define IRC_SERVER_MULTILINE_DEFAULT_MAX_BYTES 4096
 #define IRC_SERVER_MULTILINE_DEFAULT_MAX_LINES 24

+/*
+ * maximum length of an unterminated message (a received line without
+ * end-of-line) and of the accumulated "005" (ISUPPORT) data; these limits
+ * protect against a server sending a huge amount of data without end-of-line
+ * (or a flood of "005" messages), which would consume all the memory
+ */
+#define IRC_SERVER_RECV_MSG_MAX_LENGTH (64 * 1024)
+#define IRC_SERVER_ISUPPORT_MAX_LENGTH (64 * 1024)
+
 /* casemapping (string comparisons for nicks/channels) */
 enum t_irc_server_casemapping
 {