1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-04 16:53:14 +02:00

relay: check pointers received in hdata command to prevent crashes with bad pointers (WeeChat protocol)

This commit is contained in:
Sébastien Helleu
2014-05-24 18:18:11 +02:00
parent 7aaf3be15b
commit faae8f470b
16 changed files with 197 additions and 51 deletions
+28 -4
View File
@@ -541,9 +541,13 @@ relay_weechat_msg_add_hdata_path (struct t_relay_weechat_msg *msg,
*
* Argument keys is optional: if not NULL, comma-separated list of keys to
* return for hdata.
*
* Returns:
* 1: hdata added to message
* 0: error (hdata NOT added to message)
*/
void
int
relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
const char *path, const char *keys)
{
@@ -553,9 +557,11 @@ relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
const char *hdata_name, *array_size;
void *pointer, **path_pointers;
long unsigned int value;
int num_keys, num_path, i, type, pos_count, count, rc;
int rc, num_keys, num_path, i, type, pos_count, count, rc_sscanf;
uint32_t count32;
rc = 0;
hdata_head = NULL;
list_keys = NULL;
num_keys = 0;
@@ -587,9 +593,23 @@ relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
pos[0] = '\0';
if (strncmp (list_path[0], "0x", 2) == 0)
{
rc = sscanf (list_path[0], "%lx", &value);
if ((rc != EOF) && (rc != 0))
rc_sscanf = sscanf (list_path[0], "%lx", &value);
if ((rc_sscanf != EOF) && (rc_sscanf != 0))
{
pointer = (void *)value;
if (!weechat_hdata_check_pointer (ptr_hdata_head, NULL, pointer))
{
if (weechat_relay_plugin->debug >= 1)
{
weechat_printf (NULL,
_("%s: invalid pointer in hdata path: "
"\"%s\""),
RELAY_PLUGIN_NAME,
path);
}
goto end;
}
}
}
else
pointer = weechat_hdata_get_list (ptr_hdata_head, list_path[0]);
@@ -709,6 +729,8 @@ relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
count32 = htonl ((uint32_t)count);
relay_weechat_msg_set_bytes (msg, pos_count, &count32, 4);
rc = 1;
end:
if (list_keys)
weechat_string_free_split (list_keys);
@@ -720,6 +742,8 @@ end:
free (path_returned);
if (hdata_head)
free (hdata_head);
return rc;
}
/*
@@ -68,8 +68,8 @@ extern void relay_weechat_msg_add_pointer (struct t_relay_weechat_msg *msg,
void *pointer);
extern void relay_weechat_msg_add_time (struct t_relay_weechat_msg *msg,
time_t time);
extern void relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
const char *path, const char *keys);
extern int relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
const char *path, const char *keys);
extern void relay_weechat_msg_add_infolist (struct t_relay_weechat_msg *msg,
const char *name,
void *pointer,
@@ -215,9 +215,11 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(hdata)
msg = relay_weechat_msg_new (id);
if (msg)
{
relay_weechat_msg_add_hdata (msg, argv[0],
(argc > 1) ? argv_eol[1] : NULL);
relay_weechat_msg_send (client, msg);
if (relay_weechat_msg_add_hdata (msg, argv[0],
(argc > 1) ? argv_eol[1] : NULL))
{
relay_weechat_msg_send (client, msg);
}
relay_weechat_msg_free (msg);
}
@@ -311,7 +313,18 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(nicklist)
{
ptr_buffer = relay_weechat_protocol_get_buffer (argv[0]);
if (!ptr_buffer)
{
if (weechat_relay_plugin->debug >= 1)
{
weechat_printf (NULL,
_("%s: invalid buffer pointer in message: "
"\"%s %s\""),
RELAY_PLUGIN_NAME,
command,
argv_eol[0]);
}
return WEECHAT_RC_OK;
}
}
msg = relay_weechat_msg_new (id);
@@ -379,26 +392,37 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(input)
RELAY_WEECHAT_PROTOCOL_MIN_ARGS(2);
ptr_buffer = relay_weechat_protocol_get_buffer (argv[0]);
if (ptr_buffer)
if (!ptr_buffer)
{
pos = strchr (argv_eol[0], ' ');
if (pos)
if (weechat_relay_plugin->debug >= 1)
{
/*
* use a timer to execute the command after we go back in the
* WeeChat main loop (some commands like /upgrade executed now can
* cause a crash)
*/
timer_args = malloc (2 * sizeof (*timer_args));
if (timer_args)
{
timer_args[0] = strdup (weechat_buffer_get_string (ptr_buffer,
"full_name"));
timer_args[1] = strdup (pos + 1);
weechat_hook_timer (1, 0, 1,
&relay_weechat_protocol_input_timer_cb,
timer_args);
}
weechat_printf (NULL,
_("%s: invalid buffer pointer in message: "
"\"%s %s\""),
RELAY_PLUGIN_NAME,
command,
argv_eol[0]);
}
return WEECHAT_RC_OK;
}
pos = strchr (argv_eol[0], ' ');
if (pos)
{
/*
* use a timer to execute the command after we go back in the
* WeeChat main loop (some commands like /upgrade executed now can
* cause a crash)
*/
timer_args = malloc (2 * sizeof (*timer_args));
if (timer_args)
{
timer_args[0] = strdup (weechat_buffer_get_string (ptr_buffer,
"full_name"));
timer_args[1] = strdup (pos + 1);
weechat_hook_timer (1, 0, 1,
&relay_weechat_protocol_input_timer_cb,
timer_args);
}
}