irc: limit size of data received from the server to prevent memory exhaustion

A malicious or compromised IRC server could send data with no end-of-line (or a flood of "005" messages), making WeeChat accumulate it in a buffer that grew without limit, until all memory was exhausted. The unterminated received message and the accumulated "005" (ISUPPORT) data are now bounded by IRC_SERVER_RECV_MSG_MAX_LENGTH and IRC_SERVER_ISUPPORT_MAX_LENGTH: extra data is ignored once the limit is reached.
2026-06-25 04:16:38 +02:00 · 2026-06-01 21:53:03 +02:00
parent f5fa814fa4
commit e5df225d9f
6 changed files with 117 additions and 9 deletions
@@ -63,6 +63,49 @@ TEST(IrcServer, Valid)
    irc_server_free (server);
 }

+/*
+ * Tests functions:
+ *   irc_server_msgq_add_unterminated (via irc_server_msgq_add_buffer)
+ *
+ * Check that data received without any end-of-line does not grow the
+ * unterminated message buffer without limit.
+ */
+
+TEST(IrcServer, MsgqAddBufferLimit)
+{
+    struct t_irc_server *server;
+    char chunk[4097];
+    int i;
+    size_t length1, length2;
+
+    server = irc_server_alloc ("server_msgq");
+    CHECK(server);
+
+    memset (chunk, 'a', sizeof (chunk) - 1);
+    chunk[sizeof (chunk) - 1] = '\0';
+
+    /* feed a lot of data with no end-of-line */
+    for (i = 0; i < 100; i++)
+    {
+        irc_server_msgq_add_buffer (server, chunk);
+    }
+    CHECK(server->unterminated_message);
+    length1 = strlen (server->unterminated_message);
+
+    /* the buffer must be bounded (not ~400 KB) */
+    CHECK(length1 <= IRC_SERVER_RECV_MSG_MAX_LENGTH + sizeof (chunk));
+
+    /* feeding more data must not grow the buffer any further */
+    for (i = 0; i < 100; i++)
+    {
+        irc_server_msgq_add_buffer (server, chunk);
+    }
+    length2 = strlen (server->unterminated_message);
+    LONGS_EQUAL(length1, length2);
+
+    irc_server_free (server);
+}
+
 /*
 * Tests functions:
 *   irc_server_search