core: set pointers to NULL after free of data when a buffer is closed (issue #2332 )

doc/api: note that colors param is supported nicks endpoint
relay/api: fix memory leak in resources "handshake", "input" and "completion"
2026-06-30 14:56:39 +02:00 · 2026-06-30 10:18:05 +02:00 · 2026-06-30 10:17:20 +02:00 · 2026-06-17 21:55:06 +02:00 · 2026-06-17 21:31:53 +02:00 · 2026-06-12 13:03:20 +02:00
8 changed files with 101 additions and 9 deletions
@@ -6,6 +6,14 @@ SPDX-License-Identifier: GPL-3.0-or-later

 # WeeChat ChangeLog

+## Version 4.9.3 (under dev)
+
+### Fixed
+
+- core: fix buffer overflow in connection to SOCKS5 proxy ([#2325](https://github.com/weechat/weechat/issues/2325))
+- relay/api: fix memory leak in resources "handshake", "input" and "completion"
+- xfer: fix out-of-bounds write in xfer file transfer resume ([#2326](https://github.com/weechat/weechat/issues/2326))
+
 ## Version 4.9.2 (2026-06-07)

 ### Fixed
@@ -25,9 +33,9 @@ SPDX-License-Identifier: GPL-3.0-or-later

 - core: fix option weechat.look.color_real_white not applied when color is "white" on 16+ colors terminals ([#1742](https://github.com/weechat/weechat/issues/1742))
 - irc: fix tag in message with list of names when joining a channel
- relay: limit size of decompressed websocket frame with permessage-deflate to prevent memory exhaustion ([GHSA-v2v4-45wm-5cr3](https://github.com/weechat/weechat/security/advisories/GHSA-v2v4-45wm-5cr3))
- relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
- api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
+- relay: limit size of decompressed websocket frame with permessage-deflate to prevent memory exhaustion ([GHSA-v2v4-45wm-5cr3](https://github.com/weechat/weechat/security/advisories/GHSA-v2v4-45wm-5cr3), [CVE-2026-53524](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53524))
+- relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc), [CVE-2026-53525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53525))
+- api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc), [CVE-2026-53525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53525))

 ## Version 4.9.0 (2026-03-29)

@@ -1028,6 +1028,13 @@ Path parameters:
  confused with the buffer number, which is different)
 * `buffer_name` (string, **required**): buffer name

+Query parameters:
+
+* `colors` (string, optional, default: `ansi`): how to return strings with color codes:
+** `ansi`: return ANSI color codes
+** `weechat`: return WeeChat internal color codes
+** `strip`: strip colors
+
 Request example: get nicks of a buffer:

 [source,shell]
@@ -1040,6 +1040,14 @@ Paramètres de chemin :
  confondre avec le numéro du tampon, qui est différent)
 * `buffer_name` (chaîne, **obligatoire**) : nom du tampon

+Paramètres de requête :
+
+* `colors` (chaîne, facultatif, par défaut : `ansi`) : comment les chaînes avec
+  des couleurs sont retournées :
+** `ansi` : retourner les codes couleur ANSI
+** `weechat` : retourner les codes couleur internes WeeChat
+** `strip` : supprimer les couleurs
+
 Exemple de requête : obtenir les pseudos d'un tampon :

 [source,shell]
@@ -1024,12 +1024,19 @@ GET /api/buffers/{id_бафера}/nicks
 GET /api/buffers/{име_бафера}/nicks
 ----

-Параметри упита:
+Параметри путање:

 * `id_бафера` (цео број, **обавезно**): јединствени идентификатор бафера (не треба
  да се помеша са бројем бафера, то је нешто друго)
 * `име_бафера` (стринг, **обавезно**): име бафера

+Параметри упита:
+
+* `colors` (стринг, није обавезно, подразумевано: `ansi`): како се враћају стрингови са кодовима боје:
+** `ansi`: враћају се ANSI кодови боје
+** `weechat`: враћају се WeeChat интерни кодови боје
+** `strip`: уклањају се боје
+
 Пример захтева: врати надимке бафера:

 [source,shell]
@@ -581,7 +581,13 @@ network_pass_socks5proxy (struct t_proxy *proxy, int sock, const char *address,
                          int port)
 {
    struct t_network_socks5 socks5;
-    unsigned char buffer[288];
+    /*
+     * buffer must be large enough for the username/password authentication
+     * request, which is the longest message sent/received here; according to
+     * RFC 1929 it is: version (1) + username length (1) + username (max 255)
+     * + password length (1) + password (max 255)
+     */
+    unsigned char buffer[2 + 255 + 1 + 255];
    int username_len, password_len, addr_len, addr_buffer_len;
    unsigned char *addr_buffer;
    char *username, *password;
@@ -630,6 +636,18 @@ network_pass_socks5proxy (struct t_proxy *proxy, int sock, const char *address,
        username_len = strlen (username);
        password_len = strlen (password);

+        /*
+         * username and password length are each stored on a single byte
+         * (RFC 1929), so they cannot exceed 255 bytes: reject longer values,
+         * otherwise the memcpy calls below would overflow the buffer
+         */
+        if ((username_len > 255) || (password_len > 255))
+        {
+            free (username);
+            free (password);
+            return 0;
+        }
+
        /* make username/password buffer */
        buffer[0] = 1;
        buffer[1] = (unsigned char) username_len;
@@ -3804,6 +3804,7 @@ gui_buffer_close (struct t_gui_buffer *buffer)

    gui_hotlist_remove_buffer (buffer, 1);
    free (buffer->hotlist_removed);
+    buffer->hotlist_removed = NULL;
    if (gui_hotlist_initial_buffer == buffer)
        gui_hotlist_initial_buffer = NULL;

@@ -3822,55 +3823,85 @@ gui_buffer_close (struct t_gui_buffer *buffer)
    /* free all lines */
    gui_line_free_all (buffer);
    free (buffer->own_lines);
+    buffer->own_lines = NULL;
    free (buffer->mixed_lines);
+    buffer->mixed_lines = NULL;

    /* free some data */
    gui_buffer_undo_free_all (buffer);
    gui_history_buffer_free (buffer);
    gui_completion_free (buffer->completion);
+    buffer->completion = NULL;
    gui_nicklist_remove_all (buffer);
    gui_nicklist_remove_group (buffer, buffer->nicklist_root);
+    buffer->nicklist_root = NULL;
    hashtable_free (buffer->hotlist_max_level_nicks);
+    buffer->hotlist_max_level_nicks = NULL;
    gui_key_free_all (-1, &buffer->keys, &buffer->last_key,
                      &buffer->keys_count, 0);
    gui_buffer_local_var_remove_all (buffer);
    hashtable_free (buffer->local_variables);
+    buffer->local_variables = NULL;
    free (buffer->plugin_name_for_upgrade);
+    buffer->plugin_name_for_upgrade = NULL;
    free (buffer->name);
+    buffer->name = NULL;
    free (buffer->full_name);
+    buffer->full_name = NULL;
    free (buffer->old_full_name);
+    buffer->old_full_name = NULL;
    free (buffer->short_name);
+    buffer->short_name = NULL;
    free (buffer->title);
+    buffer->title = NULL;
    free (buffer->modes);
+    buffer->modes = NULL;
    free (buffer->input_prompt);
+    buffer->input_prompt = NULL;
    free (buffer->input_buffer);
+    buffer->input_buffer = NULL;
    free (buffer->input_undo_snap);
+    buffer->input_undo_snap = NULL;
    free (buffer->text_search_input);
+    buffer->text_search_input = NULL;
    if (buffer->text_search_regex_compiled)
    {
        regfree (buffer->text_search_regex_compiled);
        free (buffer->text_search_regex_compiled);
+        buffer->text_search_regex_compiled = NULL;
    }
    free (buffer->highlight_words);
+    buffer->highlight_words = NULL;
    free (buffer->highlight_disable_regex);
+    buffer->highlight_disable_regex = NULL;
    if (buffer->highlight_disable_regex_compiled)
    {
        regfree (buffer->highlight_disable_regex_compiled);
        free (buffer->highlight_disable_regex_compiled);
+        buffer->highlight_disable_regex_compiled = NULL;
    }
    free (buffer->highlight_regex);
+    buffer->highlight_regex = NULL;
    if (buffer->highlight_regex_compiled)
    {
        regfree (buffer->highlight_regex_compiled);
        free (buffer->highlight_regex_compiled);
+        buffer->highlight_regex_compiled = NULL;
    }
    free (buffer->highlight_tags_restrict);
+    buffer->highlight_tags_restrict = NULL;
    string_free_split_tags (buffer->highlight_tags_restrict_array);
+    buffer->highlight_tags_restrict_array = NULL;
    free (buffer->highlight_tags);
+    buffer->highlight_tags = NULL;
    string_free_split_tags (buffer->highlight_tags_array);
+    buffer->highlight_tags_array = NULL;
    free (buffer->input_callback_data);
+    buffer->input_callback_data = NULL;
    free (buffer->close_callback_data);
+    buffer->close_callback_data = NULL;
    free (buffer->nickcmp_callback_data);
+    buffer->nickcmp_callback_data = NULL;

    /* remove buffer from buffers list */
    if (buffer->prev_buffer)
@@ -402,7 +402,10 @@ RELAY_API_PROTOCOL_CALLBACK(handshake)
    if (json_body)
    {
        if (!cJSON_IsObject (json_body))
+        {
+            cJSON_Delete (json_body);
            return RELAY_API_PROTOCOL_RC_BAD_REQUEST;
+        }
        json_algos = cJSON_GetObjectItem (json_body, "password_hash_algo");
        if (json_algos)
        {
@@ -781,8 +784,13 @@ RELAY_API_PROTOCOL_CALLBACK(input)
    char str_delay[32];

    json_body = cJSON_Parse (client->http_req->body);
-    if (!json_body || !cJSON_IsObject (json_body))
+    if (!json_body)
        return RELAY_API_PROTOCOL_RC_BAD_REQUEST;
+    if (!cJSON_IsObject (json_body))
+    {
+        cJSON_Delete (json_body);
+        return RELAY_API_PROTOCOL_RC_BAD_REQUEST;
+    }

    /* get buffer either by name or by id */
    ptr_buffer = NULL;
@@ -908,8 +916,13 @@ RELAY_API_PROTOCOL_CALLBACK(completion)
    struct t_gui_buffer *ptr_buffer;

    json_body = cJSON_Parse (client->http_req->body);
-    if (!json_body || !cJSON_IsObject(json_body))
+    if (!json_body)
        return RELAY_API_PROTOCOL_RC_BAD_REQUEST;
+    if (!cJSON_IsObject(json_body))
+    {
+        cJSON_Delete (json_body);
+        return RELAY_API_PROTOCOL_RC_BAD_REQUEST;
+    }

    /* get buffer either by name or by id */
    ptr_buffer = NULL;
@@ -242,8 +242,8 @@ int
 xfer_dcc_resume_hash (struct t_xfer *xfer)
 {
    char *buf;
-    unsigned long long total_read;
-    ssize_t length_buf, to_read, num_read;
+    unsigned long long total_read, length_buf, to_read;
+    ssize_t num_read;
    int ret, fd;

    total_read = 0;
Author	SHA1	Message	Date
Sébastien Helleu	cfa59405cf	core: set pointers to NULL after free of data when a buffer is closed (issue #2332 )	2026-06-30 10:18:05 +02:00
Matthew Horan	9388c01074	doc/api: note that colors param is supported nicks endpoint	2026-06-30 10:17:20 +02:00
Sébastien Helleu	0cd736af22	relay/api: fix memory leak in resources "handshake", "input" and "completion"	2026-06-17 21:55:06 +02:00
aizu-m	703120bbfb	xfer: fix out-of-bounds write in xfer_dcc_resume_hash (#2326 )	2026-06-17 21:31:53 +02:00
aizu-m	12c4170fbf	core: fix buffer overflow in function network_pass_socks5proxy (#2325 ) bound the configured proxy username and password before they are copied into the fixed stack buffer in network_pass_socks5proxy, otherwise a login longer than the buffer (a long password or token) overruns it while building the SOCKS5 auth request.	2026-06-12 13:03:20 +02:00
Sébastien Helleu	e9138c5d55	core: add CVE IDs in ChangeLog	2026-06-09 22:12:25 +02:00