SECURITY: Fixed a message handling bug which could crash the daemon.

[ngircd-alex.git] / src / ngircd / irc-channel.c

diff --git a/src/ngircd/irc-channel.c b/src/ngircd/irc-channel.c
index 203e32f4e2961835b7ba56aab6158f693873137e..f64570ad6483924c8a72fd08ac8b74088ebf31e7 100644 (file)
--- a/src/ngircd/irc-channel.c
+++ b/src/ngircd/irc-channel.c
@@ -182,7 +182,7 @@ join_send_topic(CLIENT *Client, CLIENT *target, CHANNEL *chan,
 GLOBAL bool
 IRC_JOIN( CLIENT *Client, REQUEST *Req )
 {
-       char *channame, *key = NULL, *flags, *lastkey, *lastchan;
+       char *channame, *key = NULL, *flags, *lastkey = NULL, *lastchan = NULL;
        CLIENT *target;
        CHANNEL *chan;
 
@@ -214,6 +214,11 @@ IRC_JOIN( CLIENT *Client, REQUEST *Req )
        channame = Req->argv[0];
        channame = strtok_r(channame, ",", &lastchan);
 
+       /* Make sure that "channame" is not the empty string ("JOIN :") */
+       if (! channame)
+               return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+                                         Client_ID(Client), Req->command);
+
        while (channame) {
                flags = NULL;
 
@@ -318,6 +323,12 @@ IRC_PART(CLIENT * Client, REQUEST * Req)
 
        /* Loop over all the given channel names */
        chan = strtok(Req->argv[0], ",");
+
+       /* Make sure that "chan" is not the empty string ("PART :") */
+       if (! chan)
+               return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+                                         Client_ID(Client), Req->command);
+
        while (chan) {
                Channel_Part(target, Client, chan,
                             Req->argc > 1 ? Req->argv[1] : Client_ID(target));