core: update ChangeLog (#2325 )

core: fix buffer overflow in function network_pass_socks5proxy (#2325 )
bound the configured proxy username and password before they are copied into the fixed stack buffer in network_pass_socks5proxy, otherwise a login longer than the buffer (a long password or token) overruns it while building the SOCKS5 auth request.
2026-06-12 14:14:48 +02:00 · 2026-06-12 13:02:05 +02:00 · 2026-06-12 13:00:17 +02:00
2 changed files with 20 additions and 1 deletions
@@ -23,6 +23,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 ### Fixed

 - core: fix option weechat.look.color_real_white not applied when color is "white" on 16+ colors terminals ([#1742](https://github.com/weechat/weechat/issues/1742))
+- core: fix buffer overflow in connection to SOCKS5 proxy ([#2325](https://github.com/weechat/weechat/issues/2325))
 - api: fix infinite loop in function string_replace when the search string is empty
 - irc: fix tag in message with list of names when joining a channel
 - fset: remove error displayed in core buffer when clicking with the mouse below the last option displayed
@@ -582,7 +582,13 @@ network_pass_socks5proxy (struct t_proxy *proxy, int sock, const char *address,
                          int port)
 {
    struct t_network_socks5 socks5;
-    unsigned char buffer[288];
+    /*
+     * buffer must be large enough for the username/password authentication
+     * request, which is the longest message sent/received here; according to
+     * RFC 1929 it is: version (1) + username length (1) + username (max 255)
+     * + password length (1) + password (max 255)
+     */
+    unsigned char buffer[2 + 255 + 1 + 255];
    int username_len, password_len, addr_len, addr_buffer_len;
    unsigned char *addr_buffer;
    char *username, *password;
@@ -631,6 +637,18 @@ network_pass_socks5proxy (struct t_proxy *proxy, int sock, const char *address,
        username_len = strlen (username);
        password_len = strlen (password);

+        /*
+         * username and password length are each stored on a single byte
+         * (RFC 1929), so they cannot exceed 255 bytes: reject longer values,
+         * otherwise the memcpy calls below would overflow the buffer
+         */
+        if ((username_len > 255) || (password_len > 255))
+        {
+            free (username);
+            free (password);
+            return 0;
+        }
+
        /* make username/password buffer */
        buffer[0] = 1;
        buffer[1] = (unsigned char) username_len;