pegasus/weechat
1
0
Fork 0
mirror of https://github.com/weechat/weechat.git synced 2026-06-26 12:56:37 +02:00
Code Activity

irc: limit size of data received from the server to prevent memory exhaustion

Browse Source 
A malicious or compromised IRC server could send data with no end-of-line
(or a flood of "005" messages), making WeeChat accumulate it in a buffer
that grew without limit, until all memory was exhausted.

The unterminated received message and the accumulated "005" (ISUPPORT)
data are now bounded by IRC_SERVER_RECV_MSG_MAX_LENGTH and
IRC_SERVER_ISUPPORT_MAX_LENGTH: extra data is ignored once the limit is
reached.
This commit is contained in:
Sébastien Helleu
2026-06-01 21:53:03 +02:00
parent f5fa814fa4
commit e5df225d9f
6 changed files with 117 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/plugins/irc/irc-protocol.c
+18 -9
View File
@@ -4143,16 +4143,25 @@ IRC_PROTOCOL_CALLBACK(005)
if (ctxt->server->isupport)
{
length_isupport = strlen (ctxt->server->isupport);
isupport2 = realloc (ctxt->server->isupport,
length_isupport + /* existing */
1 + /* space */
length + /* new */
1);
if (isupport2)
/*
* limit the size of the accumulated ISUPPORT data: once the
* maximum is reached, ignore the extra data (protection against a
* server flooding "005" messages, which would consume all the
* memory)
*/
if (length_isupport + 1 + length < IRC_SERVER_ISUPPORT_MAX_LENGTH)
{
ctxt->server->isupport = isupport2;
strcat (ctxt->server->isupport, " ");
strcat (ctxt->server->isupport, str_info);
isupport2 = realloc (ctxt->server->isupport,
length_isupport + /* existing */
1 + /* space */
length + /* new */
1);
if (isupport2)
{
ctxt->server->isupport = isupport2;
strcat (ctxt->server->isupport, " ");
strcat (ctxt->server->isupport, str_info);
}
}
}
else